diff --git a/charts/all/medical-diagnosis/xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml b/charts/all/medical-diagnosis/xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml new file mode 100644 index 00000000..bfdf14b3 --- /dev/null +++ b/charts/all/medical-diagnosis/xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: wait-for-objectstore + namespace: {{ .Values.global.xraylab.namespace }} + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + wait-for-objectstore.sh: | + #!/bin/bash + # Get ODF version + ODFMINV=$(oc get subs -n openshift-storage odf-operator -o jsonpath='{.status.currentCSV}' | cut -d '.' -f3 ) + if [[ ${ODFMINV} -lt 13 ]] + then + oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + else + oc wait --for=jsonpath='{.status.phase}'=Ready cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + fi \ No newline at end of file diff --git a/charts/all/medical-diagnosis/xray-init/templates/objectstore-user/job-cephobjstore-wait.yaml b/charts/all/medical-diagnosis/xray-init/templates/objectstore-user/job-cephobjstore-wait.yaml index 4b33c53c..41c33ea4 100644 --- a/charts/all/medical-diagnosis/xray-init/templates/objectstore-user/job-cephobjstore-wait.yaml +++ b/charts/all/medical-diagnosis/xray-init/templates/objectstore-user/job-cephobjstore-wait.yaml @@ -15,8 +15,17 @@ spec: - /bin/bash - -c - | - oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=900s + '/tmp/wait-for-objectstore.sh' name: wait-odf-cephobjectstore-complete + volumeMounts: + - mountPath: /tmp/wait-for-objectstore.sh + name: wait-for-objectstore + subPath: wait-for-objectstore.sh + volumes: + - name: wait-for-objectstore + configMap: + name: wait-for-objectstore + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never serviceAccount: {{ .Values.global.xraylab.namespace }}-sa diff --git a/charts/all/medical-diagnosis/xray-init/values.yaml b/charts/all/medical-diagnosis/xray-init/values.yaml index 818debfd..79488893 100644 --- a/charts/all/medical-diagnosis/xray-init/values.yaml +++ b/charts/all/medical-diagnosis/xray-init/values.yaml @@ -54,6 +54,20 @@ rbac: - "get" - "list" - "watch" + - name: view-odf-subs + createRole: true + apiGroups: + - "operators.coreos.com" + scope: + cluster: true + namespace: "" + resources: + - subs + - subscriptions + verbs: + - "get" + - "list" + - "watch" - name: view-odf-objectstoreusers createRole: true apiGroups: @@ -133,6 +147,19 @@ rbac: roleRef: kind: Role name: create-pattern-secret + - name: view-odf-subs-rb + createBinding: true + scope: + cluster: true + namespace: "" + subjects: + kind: ServiceAccount + name: xraylab-1-sa + namespace: xraylab-1 + apiGroup: "" + roleRef: + kind: ClusterRole + name: view-odf-subs - name: view-odf-storageclusters createBinding: true scope: @@ -184,4 +211,4 @@ rbac: apiGroup: "" roleRef: kind: Role - name: view-pattern-jobs \ No newline at end of file + name: view-pattern-jobs diff --git a/common/.ansible-lint b/common/.ansible-lint index 67a7552c..353222eb 100644 --- a/common/.ansible-lint +++ b/common/.ansible-lint @@ -6,3 +6,12 @@ skip_list: - template-instead-of-copy # Templated files should use template instead of copy - yaml[line-length] # too long lines - yaml[indentation] # Forcing lists to be always indented by 2 chars is silly IMO + - var-naming[no-role-prefix] # This would be too much churn for very little gain + - no-changed-when + - var-naming[no-role-prefix] # There are too many changes now and it would be too risky + +# ansible-lint gh workflow cannot find ansible.cfg hence fails to import vault_utils role +exclude_paths: + - ./ansible/playbooks/vault/vault.yaml + - ./ansible/playbooks/iib-ci/iib-ci.yaml + - ./ansible/roles/vault_utils/tests/test.yml diff --git a/common/.github/dependabot.yml b/common/.github/dependabot.yml new file mode 100644 index 00000000..a175e666 --- /dev/null +++ b/common/.github/dependabot.yml @@ -0,0 +1,9 @@ +--- +version: 2 +updates: + # Check for updates to GitHub Actions every week + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + diff --git a/common/.github/workflows/ansible-lint.yml b/common/.github/workflows/ansible-lint.yml index 3b2de754..1bf2f7dd 100644 --- a/common/.github/workflows/ansible-lint.yml +++ b/common/.github/workflows/ansible-lint.yml @@ -8,11 +8,10 @@ jobs: steps: # Important: This sets up your GITHUB_WORKSPACE environment variable - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Lint Ansible Playbook - # Using the latest as of today (2023-01-24) v6.11.0 - uses: ansible/ansible-lint-action@v6.11.0 + uses: ansible/ansible-lint-action@v6 # Let's point it to the path with: path: "ansible/" diff --git a/common/.github/workflows/ansible-unittest.yml b/common/.github/workflows/ansible-unittest.yml index 3c8b5c46..af326b66 100644 --- a/common/.github/workflows/ansible-unittest.yml +++ b/common/.github/workflows/ansible-unittest.yml @@ -20,7 +20,7 @@ jobs: name: Ansible unit tests strategy: matrix: - python-version: [3.10.10] + python-version: [3.11.3] # Set the agent to run on runs-on: ubuntu-latest @@ -32,13 +32,13 @@ jobs: # Checkout the code base # ########################## - name: Checkout Code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v1 + uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} diff --git a/common/.github/workflows/jsonschema.yaml b/common/.github/workflows/jsonschema.yaml index 00232f0b..a0c60c11 100644 --- a/common/.github/workflows/jsonschema.yaml +++ b/common/.github/workflows/jsonschema.yaml @@ -20,7 +20,7 @@ jobs: name: Json Schema tests strategy: matrix: - python-version: [3.11.2] + python-version: [3.11.3] # Set the agent to run on runs-on: ubuntu-latest @@ -32,13 +32,13 @@ jobs: # Checkout the code base # ########################## - name: Checkout Code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v1 + uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} diff --git a/common/.github/workflows/linter.yml b/common/.github/workflows/linter.yml index 8a276b0c..28c3944d 100644 --- a/common/.github/workflows/linter.yml +++ b/common/.github/workflows/linter.yml @@ -29,7 +29,7 @@ jobs: # Checkout the code base # ########################## - name: Checkout Code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 diff --git a/common/.github/workflows/superlinter.yml b/common/.github/workflows/superlinter.yml index a3e22028..30cb00a8 100644 --- a/common/.github/workflows/superlinter.yml +++ b/common/.github/workflows/superlinter.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Checkout Code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 @@ -21,7 +21,7 @@ jobs: # Run Linter against code base # ################################ - name: Lint Code Base - uses: github/super-linter/slim@v4 + uses: github/super-linter/slim@v5 env: VALIDATE_ALL_CODEBASE: true DEFAULT_BRANCH: main @@ -30,7 +30,7 @@ jobs: VALIDATE_ANSIBLE: false VALIDATE_BASH: false VALIDATE_JSCPD: false - VALIDATE_KUBERNETES_KUBEVAL: false + VALIDATE_KUBERNETES_KUBECONFORM: false VALIDATE_YAML: false # VALIDATE_DOCKERFILE_HADOLINT: false # VALIDATE_MARKDOWN: false diff --git a/common/Changes.md b/common/Changes.md index d4fe67a7..0e1e8c47 100644 --- a/common/Changes.md +++ b/common/Changes.md @@ -1,5 +1,23 @@ # Changes +## Jul 8, 2023 + +* Introduced a default of 20 for sync failures retries in argo applications (global override via global.options.applicationRetryLimit + and per-app override via .syncPolicy) + +## May 22, 2023 + +* Upgraded ESO to 0.8.2 +* *Important* we now use the newly blessed sso config for argo. This means that gitops < 1.8 are *unsupported* + +## May 18, 2023 + +* Introduce a EXTRA_HELM_OPTS env variable that will be passed to the helm invocations + +## April 21, 2023 + +* Added labels and annotation support to namespaces.yaml template + ## Apr 11, 2023 * Apply the ACM ocp-gitops-policy everywhere but the hub diff --git a/common/Makefile b/common/Makefile index c4d98414..83871b7e 100644 --- a/common/Makefile +++ b/common/Makefile @@ -1,11 +1,16 @@ -NAME=$(shell basename "`pwd`") +NAME ?= $(shell basename "`pwd`") ifneq ($(origin TARGET_SITE), undefined) TARGET_SITE_OPT=--set main.clusterGroupName=$(TARGET_SITE) endif +# This variable can be set in order to pass additional helm arguments from the +# the command line. I.e. we can set things without having to tweak values files +EXTRA_HELM_OPTS ?= + # INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:394248 -INDEX_IMAGES ?= -INDEX_OPTIONS=$(shell echo $(INDEX_IMAGES) | tr ',' '\n' | awk -F: 'match($$1,"/"){print "--set main.extraParameters."NR".name=clusterGroup.indexImages."NR".image --set main.extraParameters."NR".value="$$1":"$$2}') +# or +# INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:394248,registry-proxy.engineering.redhat.com/rh-osbs/iib:394249 +INDEX_IMAGES ?= TARGET_ORIGIN ?= origin # This is to ensure that whether we start with a git@ or https:// URL, we end up with an https:// URL @@ -15,12 +20,13 @@ TARGET_REPO=$(shell git ls-remote --get-url --symref $(TARGET_ORIGIN) | sed -e ' TARGET_BRANCH=$(shell git rev-parse --abbrev-ref HEAD) # --set values always take precedence over the contents of -f -HELM_OPTS=-f values-global.yaml --set main.git.repoURL="$(TARGET_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(INDEX_OPTIONS) +HELM_OPTS=-f values-global.yaml --set main.git.repoURL="$(TARGET_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(EXTRA_HELM_OPTS) ##@ Pattern Common Tasks .PHONY: help help: ## This help message + @echo "Pattern: $(NAME)" @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^(\s|[a-zA-Z_0-9-])+:.*?##/ { printf " \033[36m%-35s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) # Makefiles in the individual patterns should call these targets explicitly @@ -55,6 +61,15 @@ uninstall: ## runs helm uninstall load-secrets: ## loads the secrets into the vault common/scripts/vault-utils.sh push_secrets $(NAME) +.PHONY: load-iib +load-iib: ## CI target to install Index Image Bundles + @set -e; if [ x$(INDEX_IMAGES) != x ]; then \ + for IIB in $(shell echo $(INDEX_IMAGES) | tr ',' '\n'); do \ + INDEX_IMAGE="$${IIB}" ansible-playbook common/ansible/playbooks/iib-ci/iib-ci.yaml; \ + done; \ + fi + + ##@ Validation Tasks # We only check the remote ssh git branch's existance if we're not running inside a container @@ -110,7 +125,8 @@ helmlint: ## run helm lint @for t in $(CHARTS); do common/scripts/lint.sh $$t $(TEST_OPTS); if [ $$? != 0 ]; then exit 1; fi; done API_URL ?= https://raw.githubusercontent.com/hybrid-cloud-patterns/ocp-schemas/main/openshift/4.10/ -KUBECONFORM_SKIP ?= -skip 'CustomResourceDefinition' +KUBECONFORM_SKIP ?= -skip 'CustomResourceDefinition,ClusterIssuer,CertManager,Certificate,ArgoCD' + # We need to skip 'CustomResourceDefinition' as openapi2jsonschema seems to be unable to generate them ATM .PHONY: kubeconform kubeconform: ## run helm kubeconform @@ -122,7 +138,7 @@ super-linter: ## Runs super linter locally podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true \ -e VALIDATE_BASH=false \ -e VALIDATE_JSCPD=false \ - -e VALIDATE_KUBERNETES_KUBEVAL=false \ + -e VALIDATE_KUBERNETES_KUBECONFORM=false \ -e VALIDATE_YAML=false \ -e VALIDATE_ANSIBLE=false \ -e VALIDATE_DOCKERFILE_HADOLINT=false \ @@ -130,11 +146,12 @@ super-linter: ## Runs super linter locally $(DISABLE_LINTERS) \ -v $(PWD):/tmp/lint:rw,z \ -w /tmp/lint \ - docker.io/github/super-linter:slim-v4 + docker.io/github/super-linter:slim-v5 .PHONY: ansible-lint ansible-lint: ## run ansible lint on ansible/ folder - podman run -it -v $(PWD):/workspace:rw,z --workdir /workspace --entrypoint "/usr/local/bin/ansible-lint" quay.io/ansible/creator-ee:latest "-vvv" "ansible/" + podman run -it -v $(PWD):/workspace:rw,z --workdir /workspace --env ANSIBLE_CONFIG=./ansible/ansible.cfg \ + --entrypoint "/usr/local/bin/ansible-lint" quay.io/ansible/creator-ee:latest "-vvv" "ansible/" .PHONY: ansible-unittest ansible-unittest: ## run ansible unit tests diff --git a/common/acm/templates/multiclusterhub.yaml b/common/acm/templates/multiclusterhub.yaml index f925d5a6..79ef9339 100644 --- a/common/acm/templates/multiclusterhub.yaml +++ b/common/acm/templates/multiclusterhub.yaml @@ -5,4 +5,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + {{- if kindIs "map" .Values.clusterGroup.subscriptions }} + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "{{ default "redhat-operators" .Values.clusterGroup.subscriptions.acm.source }}" }' + {{- end }} spec: {} diff --git a/common/acm/templates/policies/application-policies.yaml b/common/acm/templates/policies/application-policies.yaml index 0cb10ae0..f1c7bbdd 100644 --- a/common/acm/templates/policies/application-policies.yaml +++ b/common/acm/templates/policies/application-policies.yaml @@ -95,6 +95,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: {{ default 20 $.Values.global.options.applicationRetryLimit }} ignoreDifferences: - group: apps kind: Deployment diff --git a/common/acm/values.yaml b/common/acm/values.yaml index b7c27d88..1f430370 100644 --- a/common/acm/values.yaml +++ b/common/acm/values.yaml @@ -9,6 +9,9 @@ global: clusterGroup: + subscriptions: + acm: + source: redhat-operators managedClusterGroups: # testRegion: # name: region-one diff --git a/common/ansible/ansible.cfg b/common/ansible/ansible.cfg index 4cceda11..652feb98 100644 --- a/common/ansible/ansible.cfg +++ b/common/ansible/ansible.cfg @@ -1,5 +1,4 @@ [defaults] -display_skipped_hosts=False localhost_warning=False library=./plugins/modules:~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules roles_path=./roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles diff --git a/common/ansible/playbooks/acm/acmhub-get-ca.yaml b/common/ansible/playbooks/acm/acmhub-get-ca.yaml index 8c6d2684..770333ff 100644 --- a/common/ansible/playbooks/acm/acmhub-get-ca.yaml +++ b/common/ansible/playbooks/acm/acmhub-get-ca.yaml @@ -1,7 +1,8 @@ # This playbook fetches the hub cluster's CAbundle from ACM's objects # and puts it in a secret inside the imperative namespace --- -- hosts: localhost +- name: ACM Get Hub CA + hosts: localhost connection: local gather_facts: false become: false diff --git a/common/ansible/playbooks/hello-world/hello-world.yaml b/common/ansible/playbooks/hello-world/hello-world.yaml new file mode 100644 index 00000000..c0a992a7 --- /dev/null +++ b/common/ansible/playbooks/hello-world/hello-world.yaml @@ -0,0 +1,23 @@ +# This playbook is a simple hello-world playbook to show capabilities +# It creates a config-map inside the imperative namespace containing +# the helm variable "global.clusterDomain" +--- +- name: Hello World Example + hosts: localhost + connection: local + gather_facts: false + become: false + vars: + ns: imperative + tasks: + - name: Create secret with managed cluster's CA + kubernetes.core.k8s: + state: present + definition: + kind: ConfigMap + apiVersion: v1 + metadata: + name: "hello-world" + namespace: "{{ ns }}" + data: + hello-cluster-domain: "{{ global['clusterDomain'] }}" diff --git a/common/ansible/playbooks/iib-ci/iib-ci.yaml b/common/ansible/playbooks/iib-ci/iib-ci.yaml new file mode 100644 index 00000000..dc6e45cb --- /dev/null +++ b/common/ansible/playbooks/iib-ci/iib-ci.yaml @@ -0,0 +1,8 @@ +# This playbook invokes the iib_ci role +--- +- name: IIB CI playbook + hosts: localhost + connection: local + gather_facts: false + roles: + - iib_ci diff --git a/common/ansible/playbooks/iib-ci/lookup.yml b/common/ansible/playbooks/iib-ci/lookup.yml new file mode 100644 index 00000000..f7e42ca4 --- /dev/null +++ b/common/ansible/playbooks/iib-ci/lookup.yml @@ -0,0 +1,46 @@ +--- +- name: IIB CI playbook + hosts: localhost + connection: local + gather_facts: false + vars: + rh_url: "https://datagrepper.engineering.redhat.com/raw?topic=/topic/VirtualTopic.eng.ci.redhat-container-image.index.built&contains=%s&rows_per_page=20" + operator: "openshift-gitops-1-gitops-operator-bundle" + ocp_versions: {} + tasks: + - name: Set url fact + ansible.builtin.set_fact: + url: "{{ rh_url | format(operator + ':v') }}" + + - name: Fetch URI + ansible.builtin.uri: + url: "{{ url }}" + return_content: true + register: jsoncontent + + - name: Setting content + ansible.builtin.set_fact: + content: "{{ jsoncontent['content'] | from_json }}" + + - name: Set messages fact + ansible.builtin.set_fact: + raw_messages: "{{ content.raw_messages }}" + + # The when clause is because if we already have an IIB for an ocp version we do not + # want to override it (combine will always override existing keys) + # Reason for this is that the messages are sorted last first and we only want the + # last entries + - name: Set output + ansible.builtin.set_fact: + ocp_versions: "{{ ocp_versions | combine({item['msg']['index']['ocp_version']: {'indeximage': item['msg']['index']['index_image'], 'bundleimage': item['msg']['index']['added_bundle_images'][0]}}) }}" + loop: "{{ raw_messages }}" + when: item['msg']['index']['ocp_version'] is not in ocp_versions + loop_control: + label: "{{ item['msg']['index']['ocp_version'] }}" + + - name: Print OCP versions for "{{ operator }}" + ansible.builtin.debug: + msg: "{{ item.key }} -> {{ item.value }}" + loop: "{{ ocp_versions | dict2items }}" + loop_control: + label: "{{ item.key }}" diff --git a/common/ansible/roles/iib_ci/README.md b/common/ansible/roles/iib_ci/README.md new file mode 100644 index 00000000..1d8b447e --- /dev/null +++ b/common/ansible/roles/iib_ci/README.md @@ -0,0 +1,85 @@ +# IIB Utilities + +A set of ansible plays to fetch an IIB (Image Index Bundle, aka a container created by the operator sdk +that contains a bunch of references to operators that can be installed in an OpenShift cluster) + +Run `make lookup` to see which IIBs are available. + +Typically IIB are prerelease stuff that lives on some internal boxes. What these scripts do is fetch +the IIB internally, mirror it to the registry inside the cluster, parse all the needed images and mirror +those to the internal cluster registry and then set up the registries.conf files on all nodes so +that the images used are the ones pointing to the internal cluster. + +## Usage + +By default the operator to be installed from the IIB is `openshift-gitops-operator`. You can override this through the `OPERATOR` env variable. +For example, to mirror an operator into an existing cluster you would do the following: + +```sh +export KUBECONFIG=/tmp/foo/kubeconfig +export OPERATOR=openshift-gitops-operator +export IIB=492329 +export INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:${IIB} +export KUBEADMINPASS="11111-22222-33333-44444" +# This will push the IIB and all the needed images for the default openshift-gitops-operator into the cluster +make load-iib +# This will install the pattern using the gitops operator from the IIB +``` + +Then in case of the `openshift-gitops-operator` we would install with: + +```sh +export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-${IIB}" --field-selector "metadata.name=${OPERATOR}" -o jsonpath='{.items[0].status.defaultChannel}') +make EXTRA_HELM_OPTS="--set main.gitops.operatorSource=iib-${IIB} --set main.gitops.channel=${CHANNEL}" install +``` + +To install ACM (`export OPERATOR=advanced-cluster-management`) or any other +operator (except the gitops one) from an IIB we would call the following as a +final step: + +```sh +export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-${IIB}" --field-selector "metadata.name=${OPERATOR}" -o jsonpath='{.items[0].status.defaultChannel}') +make EXTRA_HELM_OPTS="--set main.extraParameters[0].name=clusterGroup.subscriptions.acm.source --set main.extraParameters[0].value=iib-${IIB} --set main.extraParameters[1].name=clusterGroup.subscriptions.acm.channel --set main.extraParameters[1].value=${CHANNEL}" install +``` + +*Note*: This needs VP operator version >= 0.0.14 + +### OCP 4.13 and onwards + +Since 4.13 supports an internal registry that can cope with v2 docker manifests, we +use that. Run `make iib` with the following environment variables set: + +* `INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:492329` +* `KUBEADMINPASS="11111-22222-33333-44444"` + +### OCP 4.12 and previous versions + +Due to the lack of v2 manifest support on the internal registry, we use an external +registry. Run `make iib` with the following environment variables set: + +* `INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:492329` +* `REGISTRY=quay.io/rhn_support_mbaldess/iib` +* `REGISTRY_TOKEN=:` + +*Note*: For the REGISTRY_TOKEN go to your quay repository, add a robot with "Write" permissions. The robot created will have a "username" and "password" fields. Set the REGISTRY_TOKEN environment variable to that value. + +## Useful commands + +* List IIBs for an operator: + +```sh +ansible-playbook common/ansible/playbooks/iib-ci/lookup.yml +... +ok: [localhost] => (item=v4.13) => { + "msg": "v4.13 -> {'indeximage': 'registry-proxy.engineering.redhat.com/rh-osbs/iib:509435', 'bundleimage': 'registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle:v99.9.0-106'}" +} +... +``` + +Override the `operator` value with the desired bundle name to figure out the last IIBs for it. + +* List all images uploaded to the internal registry: + +```sh +oc exec -it -n openshift-image-registry $(oc get pods -n openshift-image-registry -o json | jq -r '.items[].metadata.name | select(. | test("^image-registry-"))' | head -n1) -- bash -c "curl -k -u kubeadmin:$(oc whoami -t) https://localhost:5000/v2/_catalog" +``` diff --git a/common/ansible/roles/iib_ci/defaults/main.yml b/common/ansible/roles/iib_ci/defaults/main.yml new file mode 100644 index 00000000..7605dba5 --- /dev/null +++ b/common/ansible/roles/iib_ci/defaults/main.yml @@ -0,0 +1,17 @@ +rh_internal_registry: registry-proxy.engineering.redhat.com +iib_image: "{{ lookup('env', 'INDEX_IMAGE') }}" + +external_registry: "{{ lookup('env', 'REGISTRY') }}" +external_registry_token: "{{ lookup('env', 'REGISTRY_TOKEN') }}" +external_registry_email: noemail@localhost + +kubeadminpass: "{{ lookup('env', 'KUBEADMINPASS') }}" + +internal_registry_ns: openshift-marketplace +internal_registry_email: noemail@localhost +internal_registry_user: registry-custom-user +internal_registry_pass: "{{ lookup('env', 'INTERNAL_REGISTRY_USER') }}" + +# We can use default(, true) below because OPERATOR is a string and not +# a boolean +operator: "{{ lookup('env', 'OPERATOR') | default('openshift-gitops-operator', true) }}" diff --git a/common/ansible/roles/iib_ci/handlers/main.yml b/common/ansible/roles/iib_ci/handlers/main.yml new file mode 100644 index 00000000..a983544d --- /dev/null +++ b/common/ansible/roles/iib_ci/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for vault_utils diff --git a/common/ansible/roles/iib_ci/meta/main.yml b/common/ansible/roles/iib_ci/meta/main.yml new file mode 100644 index 00000000..c9d7005d --- /dev/null +++ b/common/ansible/roles/iib_ci/meta/main.yml @@ -0,0 +1,29 @@ +galaxy_info: + author: Validated Patterns Team https://github.com/hybrid-cloud-patterns/ + description: Internal module to work with IIBs (Image Index Bundles) + + issue_tracker_url: https://github.com/hybrid-cloud-patterns/common/issues + license: Apache-2.0 + min_ansible_version: "2.1" + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + platforms: + - name: Fedora + versions: + - all + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - all + - name: EL + versions: + - "8" + - "9" + + galaxy_tags: [] + +dependencies: [] diff --git a/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml b/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml new file mode 100644 index 00000000..10f083e9 --- /dev/null +++ b/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml @@ -0,0 +1,95 @@ +# This task fetches all the images given an operator name +# the operator name is defined in the variable "item". This +# set of tasks is to be included in a loop that goes over the +# needed operators +- name: Get default channel in the IIB for "{{ item }}" + ansible.builtin.shell: | + oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ item }}" \ + -o jsonpath='{.items[0].status.defaultChannel}' + register: default_channel_raw + retries: 10 + delay: 10 + until: default_channel_raw is not failed + +- name: Set default channel fact + ansible.builtin.set_fact: + default_channel: "{{ default_channel_raw.stdout }}" + +- name: Get all related images in the IIB for "{{ item }}" + ansible.builtin.shell: | + oc get packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ item }}" \ + -o jsonpath="{.items[0].status.channels[?(@.name==\"{{ default_channel }}\")].currentCSVDesc.relatedImages}" + register: related_images_raw + +- name: Set related_images fact + ansible.builtin.set_fact: + related_images: "{{ related_images_raw.stdout }}" + +# NOTE(bandini) +# The following code is here to fund out what the operator bundle image is and to make +# sure it is on the internal registry. +# This is all potentially hacky, but so far I could not find a single place in the cluster +# where the olm.bundle image is available. The info is in there in the IIB, but it certainly +# is not in any package manifest nor catalogsource. This is why we resort to invoking opm +# alpha commands inside the IIB image locally +- name: Pull the IIB locally + ansible.builtin.command: + podman pull "{{ iib_image }}" + +# $ opm alpha list channels /configs advanced-cluster-management +# PACKAGE CHANNEL HEAD +# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.4 +# advanced-cluster-management release-2.8 advanced-cluster-management.v2.8.0-130 +- name: Read the operator bundle from the default channel + ansible.builtin.shell: | + set -o pipefail + podman run -it --rm "{{ iib_image }}" alpha list channels /configs "{{ item }}" | grep --word-regexp "{{ default_channel }}" | awk '{ print $3 }' + register: bundle_channel_raw + +- name: Set bundle fact + ansible.builtin.set_fact: + bundle_channel: "{{ bundle_channel_raw.stdout }}" + +- name: Fail if bundle_channel is empty + ansible.builtin.fail: + msg: "Failed to find bundle from channel: {{ bundle_channel_raw }}" + when: > + (bundle_channel is not defined) or (bundle_channel | length == 0) + +# $ opm alpha list bundles /configs advanced-cluster-management +# PACKAGE CHANNEL BUNDLE REPLACES SKIPS SKIP RANGE IMAGE +# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.0 >=2.6.0 <2.7.0 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:f63d0a9a0e3dc9d86e84279c50e9c613d8430e71a3821d418e168250ca3b747c +# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.1 advanced-cluster-management.v2.7.0 >=2.6.0 <2.7.1 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:a81a574f2f22d37681c44fe0c3b958074408705415de333de54d120145537533 +# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.2 advanced-cluster-management.v2.7.1 >=2.6.0 <2.7.2 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:8a2c758689eaebe6a287315ca18fd9122f323e195ea3410db005b6a449060fad +# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.3 advanced-cluster-management.v2.7.2 >=2.6.0 <2.7.3 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:208f4d9473a923817c102bb7e5f138d3e1e8ed3057a23a220ffa8fe9c0c27128 +# advanced-cluster-management release-2.7 advanced-cluster-management.v2.7.4 advanced-cluster-management.v2.7.3 >=2.6.0 <2.7.4 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:75b6438e08800b2e3608aeb01c1c0a68810108d9905fff35916afd21e6d32685 +# advanced-cluster-management release-2.8 advanced-cluster-management.v2.8.0-130 >=2.7.0 <2.8.0-130 registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:6c385aa69256cdd964ae9e79e52ce52e1048391f0557af59843326c4ebe9bec0 +- name: Get bundle image + ansible.builtin.shell: | + set -o pipefail + podman run -it --rm "{{ iib_image }}" alpha list bundles /configs "{{ item }}" | grep -e "{{ default_channel }}\s\+{{ bundle_channel }}" | awk '{ print $NF }' + register: bundle_image_raw + +- name: Set bundle image fact + ansible.builtin.set_fact: + bundle_image: "{{ bundle_image_raw.stdout }}" + +- name: Fail if bundle_image is empty + ansible.builtin.fail: + msg: "Failed to find bundle image: {{ bundle_image_raw }}" + when: > + (bundle_image is not defined) or (bundle_image | length == 0) + +# all_images will be a list as follows: +# [ "registry.redhat.io/rh-sso-7/sso75-openshift-rhel8@sha256:d5829e880db4b82a50a4962d61ea148522a93644174931b256d7ad866eadcf40", +# "registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:5ff915a399c1cc12d4f932652b410bf7399850934833e755267bdd409f4ce11b", +# "registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:81e0574159c6aaabe7125d27782a5e6e5e72383a4a0ba76b44d465f3a3098759", +# "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3", +# "registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:efbfb010f24894f715a50832a4b3d2cdc221f283cbbdca05e388850586e9d792", +# "registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf7ce748b703e195220b7bd7b42fa2caa4cdfd96840445e096036a0d85f1ff2", +# "registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8@sha256:10c5a1b6a0858a812117e6fb2b28d37617d9eb83da5e4fb647059ff740a14461", +# "registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:6a3eaee6a4f8cb9a35363bf4c7f83a7fa2042ae62bdaa700ecd0893dd52276f5", +# "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle@sha256:e463314596098a4e774e0dda..." ] +- name: Set all images fact (related images + operator bundles) + ansible.builtin.set_fact: + all_images: "{{ all_images + related_images + [bundle_image] }}" diff --git a/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml b/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml new file mode 100644 index 00000000..4b39184c --- /dev/null +++ b/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml @@ -0,0 +1,52 @@ +- name: Remove manifest folder "{{ iib_local_folder }}" + ansible.builtin.file: + path: "{{ iib_local_folder }}" + state: absent + +- name: Create manifest folder "{{ iib_local_folder }}" + ansible.builtin.file: + path: "{{ iib_local_folder }}" + state: directory + mode: "0755" + +# This generates files in /tmp/manifest-IIB: +# - mapping.txt +# - catalogSource.yaml +# - imageContentSourcePolicy.yaml +- name: Mirror catalog manifests only to "{{ iib_local_folder }}" + ansible.builtin.shell: | + oc adm catalog mirror --insecure --manifests-only --to-manifests=. \ + "{{ iib_image }}" "{{ rh_internal_registry }}/rh-osbs" > catalog.log 2>&1 + args: + chdir: "{{ iib_local_folder }}" + +- name: Mirror IIB to "{{ mirror_iib }}" + ansible.builtin.shell: | + oc image mirror -a "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" \ + "{{ iib_image }}={{ mirror_iib }}" --insecure --keep-manifest-list 2>&1 + args: + chdir: "{{ iib_local_folder }}" + register: oc_mirror_result + retries: 10 + delay: 5 + until: oc_mirror_result is not failed + +- name: Template mirrored catalogsource + ansible.builtin.template: + src: ./templates/catalogSource.yaml.j2 + dest: "{{ iib_local_folder }}/mirrored-catalogsource.yaml" + mode: "0644" + +- name: Apply mirrored catalogsource + ansible.builtin.shell: | + oc apply -f "{{ iib_local_folder }}/mirrored-catalogsource.yaml" + +- name: Wait for catalogsource to show up + ansible.builtin.shell: | + oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ operator }}" \ + -o jsonpath='{.items[0].status.defaultChannel}' + register: oc_catalogsource_result + retries: 30 + delay: 10 + until: oc_catalogsource_result is not failed + changed_when: false diff --git a/common/ansible/roles/iib_ci/tasks/main.yml b/common/ansible/roles/iib_ci/tasks/main.yml new file mode 100644 index 00000000..ba6eb7c8 --- /dev/null +++ b/common/ansible/roles/iib_ci/tasks/main.yml @@ -0,0 +1,43 @@ +- name: Check that INDEX_IMAGE env variable is set + ansible.builtin.fail: + msg: "INDEX_IMAGE: '{{ iib_image }}' is not set" + failed_when: + (iib_image is not defined or iib_image | length == 0) + +- name: Set IIB fact + ansible.builtin.set_fact: + iib: "{{ iib_image.split(':')[1] }}" + +- name: Set IIB local folder fact + ansible.builtin.set_fact: + iib_local_folder: "/tmp/manifest-{{ iib }}" + +- name: Get cluster version + # E.g. 4.13.0-rc.6 or 4.12.16 + ansible.builtin.shell: | + oc get openshiftcontrollermanager/cluster -o yaml -o jsonpath='{.status.version}' + register: oc_version_raw + changed_when: false + +- name: Is OCP pre OCP 4.13? (aka registry supports v2 manifests) + ansible.builtin.set_fact: + use_internal_registry: "{{ oc_version_raw.stdout is version('4.13', '>=') }}" + +- name: Set up internal registry (OCP >= 4.13) + ansible.builtin.include_tasks: setup-internal-registry.yml + when: use_internal_registry + +- name: Set up external registry (OCP < 4.13) + ansible.builtin.include_tasks: setup-external-registry.yml + when: not use_internal_registry + +- name: Install new IIB in cluster + ansible.builtin.include_tasks: install-iib-in-cluster.yml + +- name: Mirror all related images + ansible.builtin.include_tasks: mirror-related-images.yml + +- name: Remove pullsecrets tempfolder + ansible.builtin.file: + path: "{{ pull_secrets_tempfolder.path }}" + state: absent diff --git a/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml b/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml new file mode 100644 index 00000000..821e4be0 --- /dev/null +++ b/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml @@ -0,0 +1,226 @@ +# This is needed because some operators like "advanced-cluster-management" +# install a second operator "multicluster-engine" +- name: Set operators list + ansible.builtin.set_fact: + operator_list: "{{ [operator] + (operator == 'advanced-cluster-management') | ternary(['multicluster-engine'], []) }}" + +- name: Set all images to empty list + ansible.builtin.set_fact: + all_images: [] + +- name: Fetch operator images tasks + ansible.builtin.include_tasks: fetch-operator-images.yml + loop: "{{ operator_list }}" + +- name: Print all_images + ansible.builtin.debug: + msg: "{{ all_images }}" + +# A mapping.txt file will have lines like the following. Note how the image to the right of '=' +# does have a shortened hash! : +# registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:5ff...=registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-rhel8:8256cca6 +# registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf..=registry-proxy.engineering.redhat.com/rh-osbs/openshift4-ose-haproxy-router:a636cbea +# +# Now what we are doing here is the following: +# 1. For every image we get from the bundle (contained in all_images var) we check if it exists. If it does great, skip to the next image +# 2. If the image was not found above, we take the corresponding URL on the right hand side of the '=' sign in mapping.txt +# except that we drop the hash that exists on the right hand-side and just use the one we were given with the image. +# If the image is found, great. If not we need to error out because we have no idea where we can fetch it from +- name: Find out which images really exist by consulting mapping.txt + ansible.builtin.shell: | + set -o pipefail + left_sha=$(echo "{{ image }}" | sed -e 's/^.*@//') + right=$(grep "{{ image }}" "{{ iib_local_folder }}/mapping.txt" | cut -f2 -d=) + right_base=$(echo $right | sed -e 's/:.*$//' -e 's/@.*$//') + right_log=$(echo "${right_base}@${left_sha}" | sed -e 's/\//-/g') + if skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"{{ image }}" &> /tmp/skopeo-"{{ image | regex_replace('/', '-') }}".log; then + echo "{{ image }}" + elif skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"${right_base}@${left_sha}" &> "/tmp/skopeo-${right_log}.log"; then + echo "${right_base}@${left_sha}" + else + echo "ERROR: both {{ image }} and echo ${right_base}@${left_sha} could not be found" + exit 1 + fi + register: all_existing_images + with_items: "{{ all_images }}" + loop_control: + loop_var: image + +# The dictionary below will be in the following form: +# { +# "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle@sha256:e463314596098a4e774e0ddaed0009bfdad4d79b664e28fef219c796679ee6a0": { +# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle@sha256:e463314596098a4e774e0ddaed0009bfdad4d79b664e28fef219c796679ee6a0" +# }, +# "registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:81e0574159c6aaabe7125d27782a5e6e5e72383a4a0ba76b44d465f3a3098759": { +# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-argocd-rhel8@sha256:81e0574159c6aaabe7125d27782a5e6e5e72383a4a0ba76b44d465f3a3098759" +# }, +# "registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:6a3eaee6a4f8cb9a35363bf4c7f83a7fa2042ae62bdaa700ecd0893dd52276f5": { +# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-dex-rhel8@sha256:6a3eaee6a4f8cb9a35363bf4c7f83a7fa2042ae62bdaa700ecd0893dd52276f5" +# }, +# "registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:efbfb010f24894f715a50832a4b3d2cdc221f283cbbdca05e388850586e9d792": { +# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-rhel8-operator@sha256:efbfb010f24894f715a50832a4b3d2cdc221f283cbbdca05e388850586e9d792" +# }, +# "registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:5ff915a399c1cc12d4f932652b410bf7399850934833e755267bdd409f4ce11b": { +# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-rhel8@sha256:5ff915a399c1cc12d4f932652b410bf7399850934833e755267bdd409f4ce11b" +# }, +# "registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8@sha256:10c5a1b6a0858a812117e6fb2b28d37617d9eb83da5e4fb647059ff740a14461": { +# "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-kam-delivery-rhel8@sha256:10c5a1b6a0858a812117e6fb2b28d37617d9eb83da5e4fb647059ff740a14461" +# }, +# "registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf7ce748b703e195220b7bd7b42fa2caa4cdfd96840445e096036a0d85f1ff2": { +# "source": "registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf7ce748b703e195220b7bd7b42fa2caa4cdfd96840445e096036a0d85f1ff2" +# }, +# "registry.redhat.io/rh-sso-7/sso75-openshift-rhel8@sha256:d5829e880db4b82a50a4962d61ea148522a93644174931b256d7ad866eadcf40": { +# "source": "registry.redhat.io/rh-sso-7/sso75-openshift-rhel8@sha256:d5829e880db4b82a50a4962d61ea148522a93644174931b256d7ad866eadcf40" +# }, +# "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3": { +# "source": "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3" +# } +# } +- name: Create dict with full image name+sha -> url where we will fetch it from + ansible.builtin.set_fact: + image_urls: "{{ image_urls | default({}) | combine({item: {'source': all_existing_images.results[counter].stdout, + 'source_nosha': all_existing_images.results[counter].stdout | regex_replace('@.*$', '')}}, recursive=true) }}" + loop: "{{ all_images }}" + loop_control: + index_var: counter + +- name: Create dict with full image name+sha -> mirror destination (OCP >= 4.13) + ansible.builtin.set_fact: + image_urls: "{{ image_urls | default({}) | combine({item: + {'mirrordest': mirror_dest + item | basename, + 'mirrordest_nosha': (mirror_dest + item | basename) | regex_replace('@.*$', ''), + 'mirrordest_tag': iib}}, recursive=true) }}" + loop: "{{ all_images }}" + when: use_internal_registry + +- name: Create dict with full image name+sha -> mirror destination (OCP < 4.13) + ansible.builtin.set_fact: + image_urls: "{{ image_urls | default({}) | combine({item: + {'mirrordest': mirror_dest + '@' + item | basename | regex_replace('^.*@', ''), + 'mirrordest_nosha': mirror_dest, + 'mirrordest_tag': 'tag-' + item | basename | regex_replace('^.*@sha256:', '')}}, recursive=true) }}" + loop: "{{ all_images }}" + when: not use_internal_registry + +- name: Create dict with full image name+sha -> image key without sha + ansible.builtin.set_fact: + image_urls: "{{ image_urls | default({}) | combine({item: {'image_nosha': item | regex_replace('@.*$', '')}}, recursive=true) }}" + loop: "{{ all_images }}" + +# At this point the dictionary looks as follows: +# "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3": { +# "mirrordest": "default-route-openshift-image-registry.apps.mcg-hub.blueprints.rhecoeng.com/openshift-marketplace/redis-6@sha256:535... +# "mirrordest_nosha": "default-route-openshift-image-registry.apps.mcg-hub.blueprints.rhecoeng.com/openshift-marketplace/redis-6", +# "source": "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3", +# "source_nosha": "registry.redhat.io/rhel8/redis-6" +# } +- name: Print dict with full images + ansible.builtin.debug: + msg: "{{ image_urls }}" + +# OCP 4.13 uses the new fangled "ImageDigestMirrorSet", older OCPs use "ImageContentSourcePolicy" +- name: Template out imageMirror.yaml (OCP >= 4.13) + ansible.builtin.template: + src: ./templates/imageDigestMirror.yaml.j2 + dest: "{{ iib_local_folder }}/imageMirror.yaml" + mode: "0644" + when: use_internal_registry + +- name: Template out imageMirror.yaml (OCP < 4.13) + ansible.builtin.template: + src: ./templates/imageContentSourcePolicy.yaml.j2 + dest: "{{ iib_local_folder }}/imageMirror.yaml" + mode: "0644" + when: not use_internal_registry + +- name: Template out mirror.map + ansible.builtin.template: + src: ./templates/mirror.map.j2 + dest: "{{ iib_local_folder }}/mirror.map" + mode: "0644" + +# NOTE(bandini): mirror.map *must* have a tag (we use the IIB number) on the image on the right side +# otherwise, the image will be uplaoded and will exist in S3 but it won't exist in the registry's catalog!! +- name: Mirror all the needed images + ansible.builtin.shell: | + set -o pipefail + oc image mirror -a "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" -f mirror.map --insecure --keep-manifest-list 2>&1 | tee -a image-mirror.log + args: + chdir: "{{ iib_local_folder }}" + retries: 5 + delay: 2 + register: oc_mirror + until: oc_mirror is not failed + +- name: Fetch MCP observedGeneration worker + ansible.builtin.shell: + oc get mcp/worker -o jsonpath='{.status.observedGeneration}' + register: worker_observed_generation_raw + +- name: Fetch MCP machineCount worker + ansible.builtin.shell: + oc get mcp/worker -o jsonpath='{.status.machineCount}' + register: worker_machinecount_raw + +- name: Fetch MCP observedGeneration master + ansible.builtin.shell: + oc get mcp/master -o jsonpath='{.status.observedGeneration}' + register: master_observed_generation_raw + +- name: Fetch MCP machineCount master + ansible.builtin.shell: + oc get mcp/master -o jsonpath='{.status.machineCount}' + register: master_machinecount_raw + +- name: Will the imageMirror trigger any changes + ansible.builtin.command: + oc diff -f "{{ iib_local_folder }}/imageMirror.yaml" + failed_when: false + register: oc_mirror_diff + +# We only run this piece if there is an actual change in the mirror digest for images +# cannot use 'is failed' as that is always false when setting failed_when: false above +- name: Apply imageMirror and wait for MCP to complete + when: oc_mirror_diff.rc != 0 + block: + - name: Apply imageMirror + ansible.builtin.command: + oc apply -f "{{ iib_local_folder }}/imageMirror.yaml" + + # NOTE(bandini): The reason to not fail on these two observedGeneration waiting + # tasks, is to make this idempotent: If the 'oc apply' above does *not* trigger + # any changes, the observed generation tasks will just timeout. And then we still + # wait to make sure that the readyworker count is correct. + - name: Wait for MCP new observedGeneration worker + ansible.builtin.shell: + oc get mcp/worker -o jsonpath='{.status.observedGeneration}' + register: worker_current_observed_generation_raw + retries: 10 + delay: 20 + until: worker_current_observed_generation_raw.stdout != worker_observed_generation_raw.stdout + failed_when: false + + - name: Wait for MCP new observedGeneration master + ansible.builtin.shell: + oc get mcp/master -o jsonpath='{.status.observedGeneration}' + register: master_current_observed_generation_raw + retries: 10 + delay: 20 + until: master_current_observed_generation_raw.stdout != master_observed_generation_raw.stdout + failed_when: false + + - name: Wait for MCP readyMachineCount to be the same as before applying the digest (worker) + ansible.builtin.shell: + oc get mcp/worker -o jsonpath='{.status.readyMachineCount}' + register: worker_current_ready_machinecount_raw + retries: 30 + delay: 10 + until: worker_current_ready_machinecount_raw.stdout == worker_machinecount_raw.stdout + + - name: Wait for MCP readyMachineCount to be the same as before applying the digest (master) + ansible.builtin.shell: + oc get mcp/master -o jsonpath='{.status.readyMachineCount}' + register: master_current_ready_machinecount_raw + retries: 30 + delay: 10 + until: master_current_ready_machinecount_raw.stdout == master_machinecount_raw.stdout diff --git a/common/ansible/roles/iib_ci/tasks/setup-external-registry.yml b/common/ansible/roles/iib_ci/tasks/setup-external-registry.yml new file mode 100644 index 00000000..a9a9b10a --- /dev/null +++ b/common/ansible/roles/iib_ci/tasks/setup-external-registry.yml @@ -0,0 +1,45 @@ +- name: Check that we can push to the external registry + ansible.builtin.fail: + msg: "REGISTRY: '{{ external_registry }}' and REGISTRY_TOKEN: '{{ external_registry_token }}'. Both need to be set" + failed_when: > + (external_registry is not defined or external_registry | length == 0) or + (external_registry_token is not defined or external_registry_token | length == 0) + +- name: Get current cluster pull secrets + ansible.builtin.command: + oc extract secret/pull-secret -n openshift-config --to=- + register: pull_secrets_raw + +- name: Add external registry to pull secrets and set auth fact + ansible.builtin.set_fact: + pull_secrets_new: "{{ pull_secrets_raw.stdout | from_json }}" + external_registry_auth: "{{ external_registry_token | b64encode }}" + +- name: Add local registry to pull secrets + ansible.builtin.set_fact: + pull_secrets: "{{ pull_secrets_new | combine({'auths': {external_registry.split('/')[0]: {'email': external_registry_email, 'auth': external_registry_auth}}}, recursive=true) }}" + +- name: Get a tempfile for the pull secrets + ansible.builtin.tempfile: + state: directory + register: pull_secrets_tempfolder + +- name: Store pull secrets in tempfile + ansible.builtin.copy: + dest: "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" + content: "{{ pull_secrets | to_nice_json }}" + mode: "0644" + +# We cannot store the logins back in the cluster, because quay.io would be overwritten and not have +# access to the images openshift needs. See: +# https://github.com/moby/moby/issues/37569 +# - name: Update pull-secret in the cluster +# ansible.builtin.shell: | +# oc set data secret/pull-secret -n openshift-config --from-file="{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" +- name: Set Mirror URL fact for external mirror IIB + ansible.builtin.set_fact: + mirror_iib: "{{ external_registry }}" + +- name: Set Mirror URL fact for external mirror + ansible.builtin.set_fact: + mirror_dest: "{{ external_registry }}" diff --git a/common/ansible/roles/iib_ci/tasks/setup-internal-registry.yml b/common/ansible/roles/iib_ci/tasks/setup-internal-registry.yml new file mode 100644 index 00000000..82ee7ac4 --- /dev/null +++ b/common/ansible/roles/iib_ci/tasks/setup-internal-registry.yml @@ -0,0 +1,108 @@ +- name: Check KUBEADMINPASS is set + ansible.builtin.fail: + msg: "KUBEADMINPASS: '{{ kubeadminpass }}' is not set" + failed_when: kubeadminpass is not defined or kubeadminpass | length == 0 + +- name: Get kubeadmin api endpoint + ansible.builtin.command: + oc whoami --show-server=true + register: kubeadminapi_raw + +- name: Set kubeadminapi fact + ansible.builtin.set_fact: + kubeadminapi: "{{ kubeadminapi_raw.stdout }}" + +- name: Login via kubeadmin + ansible.builtin.command: | + oc login -u kubeadmin -p "{{ kubeadminpass }}" "{{ kubeadminapi }}" --insecure-skip-tls-verify=true + +- name: Get kubeadmin token + ansible.builtin.command: | + oc whoami -t + register: oc_whoami_raw + +- name: Set kubeadmin token + ansible.builtin.set_fact: + kubeadmin_token: "{{ oc_whoami_raw.stdout }}" + +- name: Expose internal registry route + ansible.builtin.shell: | + oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge + +- name: Fetch internal registry route value + ansible.builtin.command: + oc registry info --public=true + register: registry_route_raw + retries: 20 + delay: 10 + until: + - registry_route_raw is not failed + - registry_route_raw.stdout | length > 0 + +- name: Set route fact + ansible.builtin.set_fact: + registry_route: "{{ registry_route_raw.stdout }}" + +- name: Set registry allowedRegistries + ansible.builtin.shell: > + oc patch image.config.openshift.io/cluster --patch "{\"spec\":{\"registrySources\":{\"allowedRegistries\":[ \"registry.stage.redhat.io\", \"registry.access.redhat.com\", \"registry.connect.redhat.com\", \"ghcr.io\", \"gcr.io\", \"quay.io\", \"registry.redhat.io\", + \"registry-proxy.engineering.redhat.com\", \"image-registry.openshift-image-registry.svc:5000\", \"{{ registry_route }}\"]}}}" --type=merge + +- name: Set registry insecureRegistries + ansible.builtin.shell: > + oc patch image.config.openshift.io/cluster --patch "{\"spec\":{\"registrySources\":{\"insecureRegistries\":[ \"registry-proxy.engineering.redhat.com\", + \"image-registry.openshift-image-registry.svc:5000\", \"{{ registry_route }}\"]}}}" --type=merge + +- name: Get current cluster pull secrets + ansible.builtin.command: + oc extract secret/pull-secret -n openshift-config --to=- + register: pull_secrets_raw + +- name: Add local registry to pull secrets and set auth fact + ansible.builtin.set_fact: + pull_secrets_new: "{{ pull_secrets_raw.stdout | from_json }}" + internal_registry_auth: "{{ ('kubeadmin:' + kubeadmin_token) | b64encode }}" + +- name: Add local registry to pull secrets + ansible.builtin.set_fact: + pull_secrets: "{{ pull_secrets_new | combine({'auths': {registry_route: {'email': internal_registry_email, 'auth': internal_registry_auth}}}, recursive=true) }}" + +- name: Get a tempfile for the pull secrets + ansible.builtin.tempfile: + state: directory + register: pull_secrets_tempfolder + +- name: Store pull secrets in tempfile + ansible.builtin.copy: + dest: "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" + content: "{{ pull_secrets | to_nice_json }}" + mode: "0644" + +- name: Update pull-secret in the cluster + ansible.builtin.shell: | + oc set data secret/pull-secret -n openshift-config --from-file="{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" + +- name: Before proceeding here we need to make sure that the MCPs have all settled + ansible.builtin.shell: | + if [ $(oc get mcp/master -o jsonpath='{.status.readyMachineCount}') != $(oc get mcp/master -o jsonpath='{.status.machineCount}') ]; then + exit 1 + fi + if [ $(oc get mcp/worker -o jsonpath='{.status.readyMachineCount}') != $(oc get mcp/worker -o jsonpath='{.status.machineCount}') ]; then + exit 1 + fi + retries: 30 + delay: 20 + register: mcp_ready + until: mcp_ready is not failed + +- name: Login the internal registry with podman + ansible.builtin.command: + podman login --tls-verify=false --username unused --password "{{ kubeadmin_token }}" "{{ registry_route }}" + +- name: Set Mirror URL fact for internal mirror IIB + ansible.builtin.set_fact: + mirror_iib: "{{ registry_route }}/{{ internal_registry_ns }}/iib" + +- name: Set Mirror URL fact for internal mirror + ansible.builtin.set_fact: + mirror_dest: "{{ registry_route }}/{{ internal_registry_ns }}/" diff --git a/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2 b/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2 new file mode 100644 index 00000000..99087603 --- /dev/null +++ b/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2 @@ -0,0 +1,9 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: CatalogSource +metadata: + name: iib-{{ iib }} + namespace: {{ internal_registry_ns }} +spec: + image: {{ mirror_iib }}:{{ iib }} + sourceType: grpc + displayName: IIB {{ iib }} diff --git a/common/ansible/roles/iib_ci/templates/htpasswd-oauth.yaml b/common/ansible/roles/iib_ci/templates/htpasswd-oauth.yaml new file mode 100644 index 00000000..8fc41821 --- /dev/null +++ b/common/ansible/roles/iib_ci/templates/htpasswd-oauth.yaml @@ -0,0 +1,14 @@ +apiVersion: config.openshift.io/v1 +kind: OAuth +metadata: + name: cluster +spec: + identityProviders: + - name: my_htpasswd_provider + mappingMethod: claim + type: HTPasswd + challenge: true + login: true + htpasswd: + fileData: + name: htpass-secret diff --git a/common/ansible/roles/iib_ci/templates/imageContentSourcePolicy.yaml.j2 b/common/ansible/roles/iib_ci/templates/imageContentSourcePolicy.yaml.j2 new file mode 100644 index 00000000..d0f417ec --- /dev/null +++ b/common/ansible/roles/iib_ci/templates/imageContentSourcePolicy.yaml.j2 @@ -0,0 +1,19 @@ +--- +apiVersion: operator.openshift.io/v1alpha1 +kind: ImageContentSourcePolicy +metadata: + labels: + operators.openshift.org/catalog: "true" + name: iib-{{ iib }} +spec: + repositoryDigestMirrors: +{% for item in image_urls.values() %} + - mirrors: + - {{ item.mirrordest_nosha }} + source: {{ item.source_nosha }} + mirrorSourcePolicy: NeverContactSource + - mirrors: + - {{ item.mirrordest_nosha }} + source: {{ item.image_nosha }} + mirrorSourcePolicy: NeverContactSource +{% endfor %} diff --git a/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 b/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 new file mode 100644 index 00000000..d23ab9f2 --- /dev/null +++ b/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 @@ -0,0 +1,18 @@ +apiVersion: config.openshift.io/v1 +kind: ImageDigestMirrorSet +metadata: + labels: + operators.openshift.org/catalog: "true" + name: iib-{{ iib }} +spec: + imageDigestMirrors: +{% for item in image_urls.values() %} + - mirrors: + - {{ item.mirrordest_nosha }} + source: {{ item.source_nosha }} + mirrorSourcePolicy: NeverContactSource + - mirrors: + - {{ item.mirrordest_nosha }} + source: {{ item.image_nosha }} + mirrorSourcePolicy: NeverContactSource +{% endfor %} diff --git a/common/ansible/roles/iib_ci/templates/mirror.map.j2 b/common/ansible/roles/iib_ci/templates/mirror.map.j2 new file mode 100644 index 00000000..ecef721c --- /dev/null +++ b/common/ansible/roles/iib_ci/templates/mirror.map.j2 @@ -0,0 +1,3 @@ +{% for item in image_urls.values() %} +{{ item.source }}={{ item.mirrordest_nosha }}:{{ item.mirrordest_tag }} +{% endfor %} diff --git a/common/ansible/roles/iib_ci/vars/main.yml b/common/ansible/roles/iib_ci/vars/main.yml new file mode 100644 index 00000000..56894088 --- /dev/null +++ b/common/ansible/roles/iib_ci/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for iib_ci diff --git a/common/ansible/roles/vault_utils/tasks/push_secrets.yaml b/common/ansible/roles/vault_utils/tasks/push_secrets.yaml index 0fdaa631..101b83af 100644 --- a/common/ansible/roles/vault_utils/tasks/push_secrets.yaml +++ b/common/ansible/roles/vault_utils/tasks/push_secrets.yaml @@ -102,6 +102,7 @@ ansible-vault view --vault-password-file <(cat <<<"{{ vault_pass.user_input }}") "{{ found_file }}" register: values_secret_plaintext when: is_encrypted + changed_when: false - name: Loads secrets file into the vault of a cluster no_log: false diff --git a/common/ansible/roles/vault_utils/tests/test.yml b/common/ansible/roles/vault_utils/tests/test.yml index 0998beb6..b4da5c68 100644 --- a/common/ansible/roles/vault_utils/tests/test.yml +++ b/common/ansible/roles/vault_utils/tests/test.yml @@ -1,5 +1,6 @@ --- -- hosts: localhost +- name: Test Play + hosts: localhost remote_user: root roles: - vault_utils diff --git a/common/clustergroup/templates/core/namespaces.yaml b/common/clustergroup/templates/core/namespaces.yaml index bf0bfc7d..dfa6ae1a 100644 --- a/common/clustergroup/templates/core/namespaces.yaml +++ b/common/clustergroup/templates/core/namespaces.yaml @@ -1,11 +1,31 @@ {{- if not (eq .Values.enabled "plumbing") }} -{{- range .Values.clusterGroup.namespaces }} +{{- range $ns := .Values.clusterGroup.namespaces }} apiVersion: v1 kind: Namespace metadata: + {{- if kindIs "map" $ns }} + {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} + name: {{ $k }} labels: argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }} - name: {{ . }} + {{- if $v.labels }} + {{- range $key, $value := $v.labels }} {{- /* We loop here even though the map has always just one key */}} + {{ $key }}: {{ $value | default "" | quote }} + {{- end }} + {{- end }} + {{- if $v.annotations }} + annotations: + {{- range $key, $value := $v.annotations }} {{- /* We loop through the map to get key/value pairs */}} + {{ $key }}: {{ $value | default "" | quote }} + {{- end }} + {{- end }}{{- /* if $v.annotations */}} + {{- end }}{{- /* range $k, $v := $ns */}} + + {{- else if kindIs "string" $ns }} + labels: + argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }} + name: {{ $ns }} + {{- end }} {{- /* if kindIs "string" $ns */}} spec: --- {{- end }} diff --git a/common/clustergroup/templates/core/operatorgroup.yaml b/common/clustergroup/templates/core/operatorgroup.yaml index 74febe94..66774fa6 100644 --- a/common/clustergroup/templates/core/operatorgroup.yaml +++ b/common/clustergroup/templates/core/operatorgroup.yaml @@ -1,17 +1,22 @@ {{- if not (eq .Values.enabled "plumbing") }} -{{- range .Values.clusterGroup.namespaces }} +{{- range $ns := .Values.clusterGroup.namespaces }} + +{{- if or (empty $.Values.clusterGroup.operatorgroupExcludes) (not (has . $.Values.clusterGroup.operatorgroupExcludes)) }} + + {{- if kindIs "map" $ns }} + {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}} -{{- if empty $.Values.clusterGroup.operatorgroupExcludes }} apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: - name: {{ . }}-operator-group - namespace: {{ . }} + name: {{ $k }}-operator-group + namespace: {{ $k }} spec: targetNamespaces: - - {{ . }} ---- -{{- else if not (has . $.Values.clusterGroup.operatorgroupExcludes) }} + - {{ $k }} + {{- end }}{{- /* range $k, $v := $ns */}} + + {{- else if kindIs "string" $ns }} apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: @@ -20,8 +25,8 @@ metadata: spec: targetNamespaces: - {{ . }} + {{- end }} {{- /* if kindIs "string" $ns */}} --- -{{- end }} - -{{- end }} -{{- end }} +{{- end }} {{- /* if or (empty $.Values.clusterGroup.operatorgroupExcludes) (not (has . $.Values.clusterGroup.operatorgroupExcludes)) */}} +{{- end }} {{- /* range $ns := .Values.clusterGroup.namespaces */}} +{{- end }} {{- /* if not (eq .Values.enabled "plumbing") */}} diff --git a/common/clustergroup/templates/plumbing/applications.yaml b/common/clustergroup/templates/plumbing/applications.yaml index 2593942f..206e420f 100644 --- a/common/clustergroup/templates/plumbing/applications.yaml +++ b/common/clustergroup/templates/plumbing/applications.yaml @@ -35,6 +35,8 @@ spec: {{- else }} syncPolicy: automated: {} + retry: + limit: {{ default 20 $.Values.global.options.applicationRetryLimit }} {{- end }} {{- if .ignoreDifferences }} ignoreDifferences: {{ .ignoreDifferences | toPrettyJson }} @@ -111,6 +113,10 @@ spec: - name: {{ . }} value: {{ $.Values.global.pattern }} {{- end }} + {{- range $k, $v := $.Values.extraParametersNested }} + - name: {{ $k }} + value: {{ $v }} + {{- end }} {{- range .overrides }} - name: {{ .name }} value: {{ .value | quote }} @@ -208,6 +214,10 @@ spec: - name: {{ . }} value: {{ $.Values.global.pattern }} {{- end }} + {{- range $k, $v := $.Values.extraParametersNested }} + - name: {{ $k }} + value: {{ $v }} + {{- end }} {{- range .overrides }} - name: {{ .name }} value: {{ .value | quote }} @@ -231,6 +241,8 @@ spec: {{- else }} syncPolicy: automated: {} + retry: + limit: {{ default 20 $.Values.global.applicationRetryLimit }} # selfHeal: true {{- end }} --- diff --git a/common/clustergroup/templates/plumbing/argocd.yaml b/common/clustergroup/templates/plumbing/argocd.yaml index 68400b95..84643644 100644 --- a/common/clustergroup/templates/plumbing/argocd.yaml +++ b/common/clustergroup/templates/plumbing/argocd.yaml @@ -12,6 +12,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -60,15 +82,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin diff --git a/common/clustergroup/values.schema.json b/common/clustergroup/values.schema.json index 2377e31b..e64a8125 100644 --- a/common/clustergroup/values.schema.json +++ b/common/clustergroup/values.schema.json @@ -192,6 +192,10 @@ "type": "string", "deprecated": true, "description": "This is used to approval strategy for the subscriptions of OpenShift Operators being installed. You can choose Automatic or Manual updates. NOTE: This setting is now available in the subcriptions description in the values file." + }, + "applicationRetryLimit": { + "type": "integer", + "description": "Number of failed sync attempt retries; unlimited number of attempts if less than 0" } }, "required": [ @@ -220,7 +224,7 @@ "type": "array", "description": "This is the array of namespaces that the VP framework will create. In addition, operator groups will also be created for each namespace.", "items": { - "type": "string" + "$ref": "#/definitions/Namespaces" } }, "indexImages": { @@ -318,6 +322,51 @@ ], "title": "ClusterGroup" }, + "Namespaces": { + "anyOf": [ + { + "type": "object" + }, + { + "type": "string" + } + ], + "description": "Description of the applications that will be created in the ArgoCD instances. The Application CRD is the Kubernetes resource object representing a deployed application instance in an environment. Two ways of defining applications: Using a list or using a dictionary.", + "additionalProperties": true, + "properties": { + "name": { + "type": "string", + "description": "Name of the namespace." + }, + "labels": { + "type": "array", + "items": { + "$ref": "#/definitions/NameValue" + } + }, + "annotations": { + "type": "array", + "items": { + "$ref": "#/definitions/NameValue" + } + } + } + }, + "NameValue": { + "type": "object", + "description": "Description of the applications that will be created in the ArgoCD instances. The Application CRD is the Kubernetes resource object representing a deployed application instance in an environment. Two ways of defining applications: Using a list or using a dictionary.", + "additionalProperties": true, + "properties": { + "name": { + "type": "string", + "description": "Name of the namespace." + }, + "value": { + "type": "string", + "description": "Name of the namespace." + } + } + }, "Applications": { "type": "object", "description": "Description of the applications that will be created in the ArgoCD instances. The Application CRD is the Kubernetes resource object representing a deployed application instance in an environment. Two ways of defining applications: Using a list or using a dictionary.", diff --git a/common/clustergroup/values.yaml b/common/clustergroup/values.yaml index 18212e4b..117e009e 100644 --- a/common/clustergroup/values.yaml +++ b/common/clustergroup/values.yaml @@ -5,6 +5,7 @@ global: useCSV: True syncPolicy: Automatic installPlanApproval: Automatic + applicationRetryLimit: 20 enabled: "all" diff --git a/common/examples/kustomize-renderer/kustomize b/common/examples/kustomize-renderer/kustomize index 5f62b40c..3266d453 100755 --- a/common/examples/kustomize-renderer/kustomize +++ b/common/examples/kustomize-renderer/kustomize @@ -5,11 +5,10 @@ if [ $BASE = $PWD ]; then BASE=./ fi -cat <&0 > "$BASE/helm.patch.yaml" +cat <&0 > "$BASE/helm.yaml" # Including at least one log to stderr allows us to see the full -x output echo $HOME $PWD 1>&2 ls -al 1>&2 -kubectl kustomize "$BASE" && rm "$BASE/helm.patch.yaml" -#kubectl kustomize "$BASE" > "$BASE/result.yaml" +kustomize build "$BASE" && rm "$BASE/helm.yaml" diff --git a/common/examples/values-example.yaml b/common/examples/values-example.yaml index 20b5d227..6f84820c 100644 --- a/common/examples/values-example.yaml +++ b/common/examples/values-example.yaml @@ -13,8 +13,19 @@ clusterGroup: isHubCluster: true namespaces: - - open-cluster-management + - open-cluster-management: + labels: + openshift.io/node-selector: "" + kubernetes.io/os: linux + annotations: + openshift.io/cluster-monitoring: "true" + owner: "namespace owner" - application-ci + - excludes-ci + + operatorgroupExcludes: + - excludes-ci + subscriptions: acm: diff --git a/common/golang-external-secrets/Chart.yaml b/common/golang-external-secrets/Chart.yaml index a0e1afe0..74b1c051 100644 --- a/common/golang-external-secrets/Chart.yaml +++ b/common/golang-external-secrets/Chart.yaml @@ -6,6 +6,6 @@ name: golang-external-secrets version: 0.0.1 dependencies: - name: external-secrets - version: "0.8.1" + version: "0.8.3" repository: "https://charts.external-secrets.io" #"https://external-secrets.github.io/kubernetes-external-secrets" diff --git a/common/golang-external-secrets/README.md b/common/golang-external-secrets/README.md index 6db62db7..e12d58f1 100644 --- a/common/golang-external-secrets/README.md +++ b/common/golang-external-secrets/README.md @@ -3,3 +3,12 @@ When updating this sub-chart, please remember to tweak the image tag in values.yaml. That is because we want to use -ubi images if possible and there is no suffix option, so we just override the tag with the version + "-ubi" + +## Steps + +1. Edit the version in Chart.yaml +2. Run `helm dependency update .` +3. Run `./update-helm-dependency.sh` +4. Tweak `values.yaml` with the new image versions +5. Run `make test` +6. Commit to git diff --git a/common/golang-external-secrets/charts/external-secrets-0.8.1.tgz b/common/golang-external-secrets/charts/external-secrets-0.8.1.tgz deleted file mode 100644 index 73fc4a59..00000000 Binary files a/common/golang-external-secrets/charts/external-secrets-0.8.1.tgz and /dev/null differ diff --git a/common/golang-external-secrets/charts/external-secrets-0.8.3.tgz b/common/golang-external-secrets/charts/external-secrets-0.8.3.tgz new file mode 100644 index 00000000..d738b9cc Binary files /dev/null and b/common/golang-external-secrets/charts/external-secrets-0.8.3.tgz differ diff --git a/common/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch b/common/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch new file mode 100644 index 00000000..b4ea727f --- /dev/null +++ b/common/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch @@ -0,0 +1,30 @@ +diff --color -urN external-secrets.orig/values.yaml external-secrets/values.yaml +--- external-secrets.orig/values.yaml 2023-05-22 12:42:54.000000000 +0200 ++++ external-secrets/values.yaml 2023-05-22 16:20:02.748621794 +0200 +@@ -117,7 +117,7 @@ + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true +- runAsUser: 1000 ++ # runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + +@@ -331,7 +331,7 @@ + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true +- runAsUser: 1000 ++ # runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + +@@ -453,7 +453,7 @@ + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true +- runAsUser: 1000 ++ # runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + diff --git a/common/golang-external-secrets/update-helm-dependency.sh b/common/golang-external-secrets/update-helm-dependency.sh new file mode 100755 index 00000000..492148eb --- /dev/null +++ b/common/golang-external-secrets/update-helm-dependency.sh @@ -0,0 +1,29 @@ +#!/bin/bash +set -eu + +# Get the version of the dependency and then unquote it +TMPVER=$(sed -e '1,/^version:/ d' "Chart.yaml" | grep "version:" | awk '{ print $2 }') +VERSION=$(eval echo "${TMPVER}") + +# Chart format is external-secrets-0.8.0.tgz +NAME="external-secrets" +TAR="${NAME}-${VERSION}.tgz" +CHARTDIR="charts" + +if [ ! -f "${CHARTDIR}/${TAR}" ]; then + echo "Charts $TAR not found" + exit 1 +fi + +pushd "${CHARTDIR}" +rm -rf "${NAME}" +tar xfz "${TAR}" +pushd "${NAME}" +for i in ../../local-patches/*.patch; do + filterdiff "${i}" -p1 -x 'test/*' | patch -p1 +done +find . -type f -iname '*.orig' -exec rm -f "{}" \; +popd +tar cvfz "${TAR}" "${NAME}" +rm -rf "${NAME}" +popd diff --git a/common/golang-external-secrets/values.yaml b/common/golang-external-secrets/values.yaml index 7c7ce7dc..ea7db53d 100644 --- a/common/golang-external-secrets/values.yaml +++ b/common/golang-external-secrets/values.yaml @@ -9,14 +9,12 @@ global: clusterGroup: isHubCluster: true - - external-secrets: image: - tag: v0.8.1-ubi + tag: v0.8.3-ubi webhook: image: - tag: v0.8.1-ubi + tag: v0.8.3-ubi certController: image: - tag: v0.8.1-ubi + tag: v0.8.3-ubi diff --git a/common/hashicorp-vault/Chart.yaml b/common/hashicorp-vault/Chart.yaml index 5e929ec1..6df9f5ec 100644 --- a/common/hashicorp-vault/Chart.yaml +++ b/common/hashicorp-vault/Chart.yaml @@ -6,5 +6,5 @@ name: hashicorp-vault version: 0.0.1 dependencies: - name: vault - version: "0.23.0" + version: "0.24.1" repository: "https://helm.releases.hashicorp.com" diff --git a/common/hashicorp-vault/README.md b/common/hashicorp-vault/README.md index dbc0f016..84065ffd 100644 --- a/common/hashicorp-vault/README.md +++ b/common/hashicorp-vault/README.md @@ -1,5 +1,13 @@ # VP hashicorp-vault +## Updating the chart + +1. Edit Chart.yaml with the new version +2. In the hashicorp-vault folder, run: `helm dependency update .` +3. Run `./update-helm-dependency.sh` +4. Check that the images in ./values.yaml are the same version as [upstream](https://github.com/hashicorp/vault-helm/blob/main/values.openshift.yaml) +5. Git add the new chart in `./charts/vault-.tgz` + ## Patches ### Issue 9136 diff --git a/common/hashicorp-vault/charts/vault-0.23.0.tgz b/common/hashicorp-vault/charts/vault-0.23.0.tgz deleted file mode 100644 index 7e8660a0..00000000 Binary files a/common/hashicorp-vault/charts/vault-0.23.0.tgz and /dev/null differ diff --git a/common/hashicorp-vault/charts/vault-0.24.1.tgz b/common/hashicorp-vault/charts/vault-0.24.1.tgz new file mode 100644 index 00000000..94b38500 Binary files /dev/null and b/common/hashicorp-vault/charts/vault-0.24.1.tgz differ diff --git a/common/hashicorp-vault/update-helm-dependency.sh b/common/hashicorp-vault/update-helm-dependency.sh index fafe3dde..76e4ac14 100755 --- a/common/hashicorp-vault/update-helm-dependency.sh +++ b/common/hashicorp-vault/update-helm-dependency.sh @@ -22,6 +22,7 @@ pushd "${NAME}" for i in ../../local-patches/*.patch; do filterdiff "${i}" -p1 -x 'test/*' | patch -p1 done +find . -type f -iname '*.orig' -exec rm -f "{}" \; popd tar cvfz "${TAR}" "${NAME}" rm -rf "${NAME}" diff --git a/common/hashicorp-vault/values.yaml b/common/hashicorp-vault/values.yaml index a0e91908..585e9274 100644 --- a/common/hashicorp-vault/values.yaml +++ b/common/hashicorp-vault/values.yaml @@ -49,4 +49,4 @@ vault: termination: "reencrypt" image: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.12.1-ubi" + tag: "1.13.1-ubi" diff --git a/common/letsencrypt/.helmignore b/common/letsencrypt/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/common/letsencrypt/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/common/letsencrypt/Chart.yaml b/common/letsencrypt/Chart.yaml new file mode 100644 index 00000000..b5b1c31b --- /dev/null +++ b/common/letsencrypt/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v2 +name: letsencrypt +description: A Helm chart to add letsencrypt support to Validated Patterns + +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/common/letsencrypt/README.md b/common/letsencrypt/README.md new file mode 100644 index 00000000..d277abaa --- /dev/null +++ b/common/letsencrypt/README.md @@ -0,0 +1,68 @@ +# Letsencrypt support for Validated patterns + +This is an *EXPERIMENTAL* and *UNSUPPORTED* chart to enable letsencrypt support in the pattern. +Currently the only supported cloud for this is AWS. + +In order to enable this chart in your patterns, please add and edit the following lines to `values-AWS.yaml`: + + letsencrypt: + region: eu-central-1 # region of the cluster + server: https://acme-v02.api.letsencrypt.org/directory + # staging URL + # server: https://acme-staging-v02.api.letsencrypt.org/directory + email: foo@bar.it + + clusterGroup: + applications: + letsencrypt: + name: letsencrypt + namespace: letsencrypt + project: default + path: common/letsencrypt + +Once the above is enabled in a pattern, a certain amount of time (~15/20 minutes or so) is needed for all the cluster operators to settle, all the HTTPS routes will have a wildcard certificate signed by letsencrypt. By default also the API endpoint will use a certificate signed by letsencrypt. + +## Limitations + +Please be aware of the following gotchas when using this chart: + +1. Once the API certificate has been replaced with the letsencrypt one, the `oc` commands might fail with x509 unknown certificate authority errors. + You need to remove the previous CA from the kubeconfig file. Run: `oc config set-cluster --certificate-authority="/dev/null" --embed-certs` +2. When you switch to non-staging letsencrypt certificates, things might fail if you asked for too many certificates over the last few days. +3. The cluster takes ~20-30 mins to fully settle when both the API endpoint and the default ingress certificates are implemented + +## Implementation + +This chart creates a Cloud Credential that is allowed to write and read DNS entries via Route53 in AWS. That credential is then used by cert-manager to prove ownership of the DNS zone and answer the ACME DNS01 challenges. +We ask for a single wildcard certificate for the default Ingress *.apps.domain and one non-wildcard certificate for the API endpoint api.domain. +We use Argo's Server-Side Apply feature to patch in the Ingress Controller and the API endpoint certificates. +Currently we also patch the main cluster-wide Argo instance to set the tls route to `reencrypt` in order have a proper cert there. Once issue 297 in the gitops-operator repository is fixed, we can drop that. + +## Parameters + +### global parameters + +This section contains the global parameters consumed by this chart + +| Name | Description | Value | +| --------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------ | +| `global.localClusterDomain` | String containing the domain including the apps. prefix. Gets set by the Validated Pattern framework | `apps.example.com` | + +### letsencrypt parameters + +This section contains all the parameters for the letsencrypt +chart in order to request CA signed certificates in a Validated Pattern + +| Name | Description | Value | +| -------------------------------- | --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | +| `letsencrypt.enabled` | Boolean to enable this feature and request a wildcard cert for the default Infress (*.apps.domain) (defaults to True) | `true` | +| `letsencrypt.api_endpoint` | Boolean to enable letsencrypt certs on the API endpoint too (defaults to True) | `true` | +| `letsencrypt.region` | String that defines the region used by the route53/dns01 resolver in cert-manager (required) | `eu-central-1` | +| `letsencrypt.email` | String containing the email used when requesting certificates to letsencrypt (required) | `test@example.com` | +| `letsencrypt.server` | String containing the letsencrypt ACME URL (Defaults to the staging server) | `https://acme-staging-v02.api.letsencrypt.org/directory` | +| `letsencrypt.organizations` | List of organization names to be put in a certificate (Defaults to [hybrid-cloud-patterns.io]) | `["hybrid-cloud-patterns.io"]` | +| `letsencrypt.usages` | List of certificate uses. See API cert-manager.io/v1.KeyUsage (Defaults to [server auth]) | `["server auth"]` | +| `letsencrypt.duration` | Duration of the requested letsencrypt certificates (Defaults to 168h0m0s) | `168h0m0s` | +| `letsencrypt.renewBefore` | How long before expiration date should the certs be renewed (Defaults to 28h0m0s) | `28h0m0s` | +| `letsencrypt.nameservers` | List of DNS server (ip:port strings) to be used when doing DNS01 challenges (Defaults to [8.8.8.8:53, 1.1.1.1:53]) | `["8.8.8.8:53","1.1.1.1:53"]` | +| `letsencrypt.certmanagerChannel` | String the channel to install cert-manager from (Defaults to "stable-v1") | `stable-v1` | diff --git a/common/letsencrypt/templates/api-cert.yaml b/common/letsencrypt/templates/api-cert.yaml new file mode 100644 index 00000000..ed9e7c0e --- /dev/null +++ b/common/letsencrypt/templates/api-cert.yaml @@ -0,0 +1,28 @@ +{{ if and (.Values.letsencrypt.enabled) (.Values.letsencrypt.api_endpoint) }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: {{ .Values.letsencrypt.duration }} + renewBefore: {{ .Values.letsencrypt.renewBefore }} + commonName: 'api.{{ $.Values.global.localClusterDomain | replace "apps." "" }}' + usages: + {{- range .Values.letsencrypt.usages }} + - {{ . }} + {{- end }} + dnsNames: + - api.{{ $.Values.global.localClusterDomain | replace "apps." "" }} + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + {{- range .Values.letsencrypt.organizations }} + - {{ . }} + {{- end }} +{{- end }} diff --git a/common/letsencrypt/templates/cert-manager-installation.yaml b/common/letsencrypt/templates/cert-manager-installation.yaml new file mode 100644 index 00000000..59375b00 --- /dev/null +++ b/common/letsencrypt/templates/cert-manager-installation.yaml @@ -0,0 +1,38 @@ +{{ if .Values.letsencrypt.enabled }} +--- +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "{{ .Values.letsencrypt.certmanagerChannel }}" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace +--- +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers={{ with index .Values.letsencrypt.nameservers 0 }}{{ . }}{{- end }},{{ with index .Values.letsencrypt.nameservers 1 }}{{ . }}{{- end }}" + - "--dns01-recursive-nameservers-only" +{{- end }} diff --git a/common/letsencrypt/templates/credentials-request.yaml b/common/letsencrypt/templates/credentials-request.yaml new file mode 100644 index 00000000..27aad295 --- /dev/null +++ b/common/letsencrypt/templates/credentials-request.yaml @@ -0,0 +1,24 @@ +{{ if .Values.letsencrypt.enabled }} +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +{{- end }} diff --git a/common/letsencrypt/templates/default-routes.yaml b/common/letsencrypt/templates/default-routes.yaml new file mode 100644 index 00000000..8a01db6a --- /dev/null +++ b/common/letsencrypt/templates/default-routes.yaml @@ -0,0 +1,46 @@ +{{ if .Values.letsencrypt.enabled }} +--- +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +{{ if .Values.letsencrypt.api_endpoint }} +--- +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.{{ $.Values.global.localClusterDomain | replace "apps." "" }} + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +{{- end }} +{{- end }} diff --git a/common/letsencrypt/templates/issuer.yaml b/common/letsencrypt/templates/issuer.yaml new file mode 100644 index 00000000..1370500f --- /dev/null +++ b/common/letsencrypt/templates/issuer.yaml @@ -0,0 +1,25 @@ +{{ if .Values.letsencrypt.enabled }} +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: {{ .Values.letsencrypt.server }} + email: {{ .Values.letsencrypt.email }} + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: {{ .Values.letsencrypt.region }} + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +{{- end }} diff --git a/common/letsencrypt/templates/namespaces.yaml b/common/letsencrypt/templates/namespaces.yaml new file mode 100644 index 00000000..a4f65fe5 --- /dev/null +++ b/common/letsencrypt/templates/namespaces.yaml @@ -0,0 +1,20 @@ +{{ if .Values.letsencrypt.enabled }} +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +{{- end }} diff --git a/common/letsencrypt/templates/wildcard-cert.yaml b/common/letsencrypt/templates/wildcard-cert.yaml new file mode 100644 index 00000000..e7b82480 --- /dev/null +++ b/common/letsencrypt/templates/wildcard-cert.yaml @@ -0,0 +1,28 @@ +{{ if .Values.letsencrypt.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: {{ .Values.letsencrypt.duration }} + renewBefore: {{ .Values.letsencrypt.renewBefore }} + commonName: '*.{{ $.Values.global.localClusterDomain }}' + usages: + {{- range .Values.letsencrypt.usages }} + - {{ . }} + {{- end }} + dnsNames: + - '*.{{ $.Values.global.localClusterDomain }}' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + {{- range .Values.letsencrypt.organizations }} + - {{ . }} + {{- end }} +{{- end }} diff --git a/common/letsencrypt/values.yaml b/common/letsencrypt/values.yaml new file mode 100644 index 00000000..a95957b8 --- /dev/null +++ b/common/letsencrypt/values.yaml @@ -0,0 +1,60 @@ +# NOTE: This is currently an experimental/unsupported chart! +# Default values for the experimental letsencrypt chart +# Generate the README.md sections using https://github.com/bitnami-labs/readme-generator-for-helm +# +## @section global parameters +## @descriptionStart This section contains the global parameters consumed by this chart +## @descriptionEnd +global: + ## @param global.localClusterDomain String containing the domain including the apps. prefix. Gets set by the Validated Pattern framework + localClusterDomain: "apps.example.com" + +## @section letsencrypt parameters +## @descriptionStart This section contains all the parameters for the letsencrypt +## chart in order to request CA signed certificates in a Validated Pattern +## @descriptionEnd +letsencrypt: + # By default if you include this chart you enable the letsencrypt charts + # on both the *.apps. ingress and on the API endpoint + ## @param letsencrypt.enabled Boolean to enable this feature and request a wildcard cert for the default Infress (*.apps.domain) (defaults to True) + enabled: true + ## @param letsencrypt.api_endpoint Boolean to enable letsencrypt certs on the API endpoint too (defaults to True) + api_endpoint: true + + # These two lines need tweaking for every deployment. @example.com emails + # will be rejected by letsencrypt + ## @param letsencrypt.region String that defines the region used by the route53/dns01 resolver in cert-manager (required) + region: eu-central-1 + ## @param letsencrypt.email String containing the email used when requesting certificates to letsencrypt (required) + email: test@example.com + + # By default we use the staging URL to avoid any ratelimiting while testing + # To switch to the production certificates signed by a recognized CA, please + # switch the comments around in the two following lines + ## @param letsencrypt.server String containing the letsencrypt ACME URL (Defaults to the staging server) + server: https://acme-staging-v02.api.letsencrypt.org/directory + # server: https://acme-v02.api.letsencrypt.org/directory + + # These are only for metadata in the certificates + ## @param letsencrypt.organizations List of organization names to be put in a certificate (Defaults to [hybrid-cloud-patterns.io]) + organizations: + - hybrid-cloud-patterns.io + ## @param letsencrypt.usages List of certificate uses. See API cert-manager.io/v1.KeyUsage (Defaults to [server auth]) + usages: + - server auth + + ## @param letsencrypt.duration Duration of the requested letsencrypt certificates (Defaults to 168h0m0s) + duration: "168h0m0s" + ## @param letsencrypt.renewBefore How long before expiration date should the certs be renewed (Defaults to 28h0m0s) + renewBefore: "28h0m0s" + + # These two are needed because the DNS01 ACME solver needs outside DNS + # servers and won't really work with openshift's internal split-view DNS servers + # https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check + ## @param letsencrypt.nameservers List of DNS server (ip:port strings) to be used when doing DNS01 challenges (Defaults to [8.8.8.8:53, 1.1.1.1:53]) + nameservers: + - 8.8.8.8:53 + - 1.1.1.1:53 + + ## @param letsencrypt.certmanagerChannel String the channel to install cert-manager from (Defaults to "stable-v1") + certmanagerChannel: "stable-v1" diff --git a/common/operator-install/templates/pattern.yaml b/common/operator-install/templates/pattern.yaml index efe9f3ba..d8b3df81 100644 --- a/common/operator-install/templates/pattern.yaml +++ b/common/operator-install/templates/pattern.yaml @@ -10,6 +10,7 @@ spec: targetRevision: {{ .Values.main.git.revision }} gitOpsSpec: operatorChannel: {{ default "gitops-1.8" .Values.main.gitops.channel }} + operatorSource: {{ default "redhat-operators" .Values.main.gitops.operatorSource }} {{- if .Values.main.extraParameters }} extraParameters: {{- range .Values.main.extraParameters }} diff --git a/common/operator-install/templates/subscription.yaml b/common/operator-install/templates/subscription.yaml index 381e185f..41d0d211 100644 --- a/common/operator-install/templates/subscription.yaml +++ b/common/operator-install/templates/subscription.yaml @@ -6,8 +6,8 @@ metadata: labels: operators.coreos.com/patterns-operator.openshift-operators: "" spec: - channel: fast + channel: {{ .Values.main.patternsOperator.channel }} installPlanApproval: Automatic name: patterns-operator - source: community-operators + source: {{ .Values.main.patternsOperator.source }} sourceNamespace: openshift-marketplace diff --git a/common/operator-install/values.yaml b/common/operator-install/values.yaml index d3ff7fe7..d5b0b13f 100644 --- a/common/operator-install/values.yaml +++ b/common/operator-install/values.yaml @@ -5,5 +5,10 @@ main: gitops: channel: "gitops-1.8" + operatorSource: redhat-operators + + patternsOperator: + channel: fast + source: community-operators clusterGroupName: default diff --git a/common/scripts/pattern-util.sh b/common/scripts/pattern-util.sh index 82416a2d..149e8af7 100755 --- a/common/scripts/pattern-util.sh +++ b/common/scripts/pattern-util.sh @@ -27,7 +27,7 @@ fi # Do not quote the ${KUBECONF_ENV} below, otherwise we will pass '' to podman # which will be confused -podman run -it \ +podman run -it --rm \ --security-opt label=disable \ ${KUBECONF_ENV} \ -v "${HOME}":"${HOME}" \ diff --git a/common/tests/acm-industrial-edge-hub.expected.yaml b/common/tests/acm-industrial-edge-hub.expected.yaml index f9772238..d54a8db6 100644 --- a/common/tests/acm-industrial-edge-hub.expected.yaml +++ b/common/tests/acm-industrial-edge-hub.expected.yaml @@ -10,6 +10,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -245,6 +246,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment diff --git a/common/tests/acm-medical-diagnosis-hub.expected.yaml b/common/tests/acm-medical-diagnosis-hub.expected.yaml index 5e064480..6e3eedff 100644 --- a/common/tests/acm-medical-diagnosis-hub.expected.yaml +++ b/common/tests/acm-medical-diagnosis-hub.expected.yaml @@ -10,6 +10,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -236,6 +237,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment diff --git a/common/tests/acm-naked.expected.yaml b/common/tests/acm-naked.expected.yaml index 86d7277d..cb73d733 100644 --- a/common/tests/acm-naked.expected.yaml +++ b/common/tests/acm-naked.expected.yaml @@ -13,6 +13,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/ocp-gitops-policy.yaml diff --git a/common/tests/acm-normal.expected.yaml b/common/tests/acm-normal.expected.yaml index 79a9dde4..7c7ac7d5 100644 --- a/common/tests/acm-normal.expected.yaml +++ b/common/tests/acm-normal.expected.yaml @@ -399,6 +399,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -654,6 +655,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment @@ -746,6 +749,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment diff --git a/common/tests/clustergroup-industrial-edge-factory.expected.yaml b/common/tests/clustergroup-industrial-edge-factory.expected.yaml index dfb795d4..649463a3 100644 --- a/common/tests/clustergroup-industrial-edge-factory.expected.yaml +++ b/common/tests/clustergroup-industrial-edge-factory.expected.yaml @@ -145,6 +145,7 @@ data: localClusterDomain: apps.region.example.com namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Manual useCSV: true @@ -382,6 +383,8 @@ spec: } syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -428,6 +431,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/argocd.yaml @@ -443,6 +448,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -491,15 +518,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin diff --git a/common/tests/clustergroup-industrial-edge-hub.expected.yaml b/common/tests/clustergroup-industrial-edge-hub.expected.yaml index 9c43c8cc..c4c7dddc 100644 --- a/common/tests/clustergroup-industrial-edge-hub.expected.yaml +++ b/common/tests/clustergroup-industrial-edge-hub.expected.yaml @@ -306,6 +306,7 @@ data: localClusterDomain: apps.region.example.com namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Manual useCSV: true @@ -713,6 +714,8 @@ spec: ] syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -759,6 +762,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -805,6 +810,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -881,6 +888,8 @@ spec: ] syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -927,6 +936,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -973,6 +984,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -997,6 +1010,8 @@ spec: } syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -1061,6 +1076,8 @@ spec: value: "1.10.3-ubi" syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/argocd.yaml @@ -1076,6 +1093,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -1124,15 +1163,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin diff --git a/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml b/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml index 89ba22d6..dccc6e92 100644 --- a/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml +++ b/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml @@ -293,6 +293,7 @@ data: localClusterDomain: apps.region.example.com namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Manual useCSV: true @@ -649,6 +650,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -695,6 +698,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -741,6 +746,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -787,6 +794,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -833,6 +842,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -879,6 +890,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -925,6 +938,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -989,6 +1004,8 @@ spec: value: "1.10.3-ubi" syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -1035,6 +1052,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -1081,6 +1100,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -1136,6 +1157,8 @@ spec: ] syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -1191,6 +1214,8 @@ spec: ] syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -1237,6 +1262,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/argocd.yaml @@ -1252,6 +1279,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -1300,15 +1349,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin diff --git a/common/tests/clustergroup-naked.expected.yaml b/common/tests/clustergroup-naked.expected.yaml index f0c12937..6a79b27d 100644 --- a/common/tests/clustergroup-naked.expected.yaml +++ b/common/tests/clustergroup-naked.expected.yaml @@ -66,6 +66,7 @@ data: enabled: all global: options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Automatic useCSV: true @@ -266,6 +267,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -314,15 +337,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin diff --git a/common/tests/clustergroup-normal.expected.yaml b/common/tests/clustergroup-normal.expected.yaml index f7e6d84d..c0af256d 100644 --- a/common/tests/clustergroup-normal.expected.yaml +++ b/common/tests/clustergroup-normal.expected.yaml @@ -3,9 +3,14 @@ apiVersion: v1 kind: Namespace metadata: + name: open-cluster-management labels: argocd.argoproj.io/managed-by: mypattern-example - name: open-cluster-management + kubernetes.io/os: "linux" + openshift.io/node-selector: "" + annotations: + openshift.io/cluster-monitoring: "true" + owner: "namespace owner" spec: --- # Source: pattern-clustergroup/templates/core/namespaces.yaml @@ -17,6 +22,15 @@ metadata: name: application-ci spec: --- +# Source: pattern-clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + labels: + argocd.argoproj.io/managed-by: mypattern-example + name: excludes-ci +spec: +--- # Source: pattern-clustergroup/templates/imperative/namespace.yaml apiVersion: v1 kind: Namespace @@ -143,8 +157,17 @@ data: name: argo-edge name: example namespaces: - - open-cluster-management + - open-cluster-management: + annotations: + openshift.io/cluster-monitoring: "true" + owner: namespace owner + labels: + kubernetes.io/os: linux + openshift.io/node-selector: "" - application-ci + - excludes-ci + operatorgroupExcludes: + - excludes-ci projects: - datacenter subscriptions: @@ -175,6 +198,7 @@ data: multiClusterTarget: all namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Automatic useCSV: false @@ -540,6 +564,8 @@ spec: ] syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -586,6 +612,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/hosted-sites.yaml @@ -841,6 +869,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -889,15 +939,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin diff --git a/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml b/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml index d7e88e41..22b23f0d 100644 --- a/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml +++ b/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.3 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: golang-external-secrets + app.kubernetes.io/version: "v0.8.3" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7696,6 +8140,25 @@ rules: - "update" - "patch" --- +# Source: golang-external-secrets/templates/golang-external-secrets-hub-vault-rbac-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: view-pods + namespace: vault + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +--- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7703,10 +8166,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7717,6 +8180,25 @@ subjects: name: golang-external-secrets namespace: "default" --- +# Source: golang-external-secrets/templates/golang-external-secrets-hub-vault-rbac-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: view-pods-rb + namespace: vault + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: vault + namespace: vault + apiGroup: "" +roleRef: + kind: Role + name: view-pods + apiGroup: rbac.authorization.k8s.io +--- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service @@ -7724,10 +8206,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8230,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8250,19 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8290,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8310,19 @@ spec: spec: serviceAccountName: golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8338,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8361,16 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml b/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml index 4b957a45..2de0030f 100644 --- a/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml +++ b/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.3 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: golang-external-secrets + app.kubernetes.io/version: "v0.8.3" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7696,6 +8140,25 @@ rules: - "update" - "patch" --- +# Source: golang-external-secrets/templates/golang-external-secrets-hub-vault-rbac-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: view-pods + namespace: vault + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +--- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7703,10 +8166,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7717,6 +8180,25 @@ subjects: name: golang-external-secrets namespace: "default" --- +# Source: golang-external-secrets/templates/golang-external-secrets-hub-vault-rbac-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: view-pods-rb + namespace: vault + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: vault + namespace: vault + apiGroup: "" +roleRef: + kind: Role + name: view-pods + apiGroup: rbac.authorization.k8s.io +--- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service @@ -7724,10 +8206,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8230,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8250,19 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8290,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8310,19 @@ spec: spec: serviceAccountName: golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8338,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8361,16 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - webhook @@ -7891,6 +8402,32 @@ spec: secret: secretName: golang-external-secrets-webhook --- +# Source: golang-external-secrets/templates/golang-external-secrets-hub-presync.yaml +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + argocd.argoproj.io/hook: PreSync + name: job-wait-for-vault + # By placing the job in the vault namespace we can avoid dealing with RBACs + namespace: vault +spec: + template: + spec: + containers: + - image: image-registry.openshift-image-registry.svc:5000/openshift/cli:latest + command: + - /bin/bash + - -c + - | + oc wait --for=condition=Ready=true pods -n vault vault-0 --timeout=900s + name: wait-for-healthy-vault + dnsPolicy: ClusterFirst + restartPolicy: Never + serviceAccount: vault + serviceAccountName: vault + terminationGracePeriodSeconds: 60 +--- # Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore diff --git a/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml b/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml index 4b957a45..2de0030f 100644 --- a/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ b/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.3 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: golang-external-secrets + app.kubernetes.io/version: "v0.8.3" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7696,6 +8140,25 @@ rules: - "update" - "patch" --- +# Source: golang-external-secrets/templates/golang-external-secrets-hub-vault-rbac-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: view-pods + namespace: vault + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +--- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7703,10 +8166,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7717,6 +8180,25 @@ subjects: name: golang-external-secrets namespace: "default" --- +# Source: golang-external-secrets/templates/golang-external-secrets-hub-vault-rbac-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: view-pods-rb + namespace: vault + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: vault + namespace: vault + apiGroup: "" +roleRef: + kind: Role + name: view-pods + apiGroup: rbac.authorization.k8s.io +--- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service @@ -7724,10 +8206,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8230,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8250,19 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8290,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8310,19 @@ spec: spec: serviceAccountName: golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8338,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8361,16 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - webhook @@ -7891,6 +8402,32 @@ spec: secret: secretName: golang-external-secrets-webhook --- +# Source: golang-external-secrets/templates/golang-external-secrets-hub-presync.yaml +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + argocd.argoproj.io/hook: PreSync + name: job-wait-for-vault + # By placing the job in the vault namespace we can avoid dealing with RBACs + namespace: vault +spec: + template: + spec: + containers: + - image: image-registry.openshift-image-registry.svc:5000/openshift/cli:latest + command: + - /bin/bash + - -c + - | + oc wait --for=condition=Ready=true pods -n vault vault-0 --timeout=900s + name: wait-for-healthy-vault + dnsPolicy: ClusterFirst + restartPolicy: Never + serviceAccount: vault + serviceAccountName: vault + terminationGracePeriodSeconds: 60 +--- # Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore diff --git a/common/tests/golang-external-secrets-naked.expected.yaml b/common/tests/golang-external-secrets-naked.expected.yaml index 5e43d029..bf906863 100644 --- a/common/tests/golang-external-secrets-naked.expected.yaml +++ b/common/tests/golang-external-secrets-naked.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.3 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: golang-external-secrets + app.kubernetes.io/version: "v0.8.3" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7696,6 +8140,25 @@ rules: - "update" - "patch" --- +# Source: golang-external-secrets/templates/golang-external-secrets-hub-vault-rbac-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: view-pods + namespace: vault + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +--- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7703,10 +8166,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7717,6 +8180,25 @@ subjects: name: golang-external-secrets namespace: "default" --- +# Source: golang-external-secrets/templates/golang-external-secrets-hub-vault-rbac-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: view-pods-rb + namespace: vault + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: vault + namespace: vault + apiGroup: "" +roleRef: + kind: Role + name: view-pods + apiGroup: rbac.authorization.k8s.io +--- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service @@ -7724,10 +8206,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8230,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8250,19 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8290,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8310,19 @@ spec: spec: serviceAccountName: golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8338,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8361,16 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - webhook @@ -7891,6 +8402,32 @@ spec: secret: secretName: golang-external-secrets-webhook --- +# Source: golang-external-secrets/templates/golang-external-secrets-hub-presync.yaml +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + argocd.argoproj.io/hook: PreSync + name: job-wait-for-vault + # By placing the job in the vault namespace we can avoid dealing with RBACs + namespace: vault +spec: + template: + spec: + containers: + - image: image-registry.openshift-image-registry.svc:5000/openshift/cli:latest + command: + - /bin/bash + - -c + - | + oc wait --for=condition=Ready=true pods -n vault vault-0 --timeout=900s + name: wait-for-healthy-vault + dnsPolicy: ClusterFirst + restartPolicy: Never + serviceAccount: vault + serviceAccountName: vault + terminationGracePeriodSeconds: 60 +--- # Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore diff --git a/common/tests/golang-external-secrets-normal.expected.yaml b/common/tests/golang-external-secrets-normal.expected.yaml index 4b957a45..2de0030f 100644 --- a/common/tests/golang-external-secrets-normal.expected.yaml +++ b/common/tests/golang-external-secrets-normal.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.3 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: golang-external-secrets + app.kubernetes.io/version: "v0.8.3" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7696,6 +8140,25 @@ rules: - "update" - "patch" --- +# Source: golang-external-secrets/templates/golang-external-secrets-hub-vault-rbac-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: view-pods + namespace: vault + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +--- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -7703,10 +8166,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7717,6 +8180,25 @@ subjects: name: golang-external-secrets namespace: "default" --- +# Source: golang-external-secrets/templates/golang-external-secrets-hub-vault-rbac-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: view-pods-rb + namespace: vault + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: vault + namespace: vault + apiGroup: "" +roleRef: + kind: Role + name: view-pods + apiGroup: rbac.authorization.k8s.io +--- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml apiVersion: v1 kind: Service @@ -7724,10 +8206,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8230,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8250,19 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8290,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8310,19 @@ spec: spec: serviceAccountName: golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8338,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8361,16 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - webhook @@ -7891,6 +8402,32 @@ spec: secret: secretName: golang-external-secrets-webhook --- +# Source: golang-external-secrets/templates/golang-external-secrets-hub-presync.yaml +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + argocd.argoproj.io/hook: PreSync + name: job-wait-for-vault + # By placing the job in the vault namespace we can avoid dealing with RBACs + namespace: vault +spec: + template: + spec: + containers: + - image: image-registry.openshift-image-registry.svc:5000/openshift/cli:latest + command: + - /bin/bash + - -c + - | + oc wait --for=condition=Ready=true pods -n vault vault-0 --timeout=900s + name: wait-for-healthy-vault + dnsPolicy: ClusterFirst + restartPolicy: Never + serviceAccount: vault + serviceAccountName: vault + terminationGracePeriodSeconds: 60 +--- # Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore diff --git a/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml b/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml index 2f8643d4..8377766b 100644 --- a/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml +++ b/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml b/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml index 2f8643d4..8377766b 100644 --- a/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml +++ b/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml b/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml index 2f8643d4..8377766b 100644 --- a/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ b/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/hashicorp-vault-naked.expected.yaml b/common/tests/hashicorp-vault-naked.expected.yaml index d4b110b5..c8506883 100644 --- a/common/tests/hashicorp-vault-naked.expected.yaml +++ b/common/tests/hashicorp-vault-naked.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/hashicorp-vault-normal.expected.yaml b/common/tests/hashicorp-vault-normal.expected.yaml index 2f8643d4..8377766b 100644 --- a/common/tests/hashicorp-vault-normal.expected.yaml +++ b/common/tests/hashicorp-vault-normal.expected.yaml @@ -6,7 +6,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/common/tests/letsencrypt-industrial-edge-factory.expected.yaml b/common/tests/letsencrypt-industrial-edge-factory.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/common/tests/letsencrypt-industrial-edge-factory.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/common/tests/letsencrypt-industrial-edge-hub.expected.yaml b/common/tests/letsencrypt-industrial-edge-hub.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/common/tests/letsencrypt-industrial-edge-hub.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/common/tests/letsencrypt-medical-diagnosis-hub.expected.yaml b/common/tests/letsencrypt-medical-diagnosis-hub.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/common/tests/letsencrypt-medical-diagnosis-hub.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/common/tests/letsencrypt-naked.expected.yaml b/common/tests/letsencrypt-naked.expected.yaml new file mode 100644 index 00000000..73aa94a4 --- /dev/null +++ b/common/tests/letsencrypt-naked.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.example.com' + usages: + - server auth + dnsNames: + - api.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.example.com' + usages: + - server auth + dnsNames: + - '*.apps.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/common/tests/letsencrypt-normal.expected.yaml b/common/tests/letsencrypt-normal.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/common/tests/letsencrypt-normal.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/common/tests/operator-install-industrial-edge-factory.expected.yaml b/common/tests/operator-install-industrial-edge-factory.expected.yaml index 80fd98de..5fc96bf3 100644 --- a/common/tests/operator-install-industrial-edge-factory.expected.yaml +++ b/common/tests/operator-install-industrial-edge-factory.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/common/tests/operator-install-industrial-edge-hub.expected.yaml b/common/tests/operator-install-industrial-edge-hub.expected.yaml index 80fd98de..5fc96bf3 100644 --- a/common/tests/operator-install-industrial-edge-hub.expected.yaml +++ b/common/tests/operator-install-industrial-edge-hub.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/common/tests/operator-install-medical-diagnosis-hub.expected.yaml b/common/tests/operator-install-medical-diagnosis-hub.expected.yaml index 80fd98de..5fc96bf3 100644 --- a/common/tests/operator-install-medical-diagnosis-hub.expected.yaml +++ b/common/tests/operator-install-medical-diagnosis-hub.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/common/tests/operator-install-naked.expected.yaml b/common/tests/operator-install-naked.expected.yaml index d9a00c03..4c7837fe 100644 --- a/common/tests/operator-install-naked.expected.yaml +++ b/common/tests/operator-install-naked.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/common/tests/operator-install-normal.expected.yaml b/common/tests/operator-install-normal.expected.yaml index 80fd98de..5fc96bf3 100644 --- a/common/tests/operator-install-normal.expected.yaml +++ b/common/tests/operator-install-normal.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/common/values-global.yaml b/common/values-global.yaml index 8a890f3d..24feccd5 100644 --- a/common/values-global.yaml +++ b/common/values-global.yaml @@ -3,6 +3,7 @@ global: useCSV: True syncPolicy: Manual installPlanApproval: Automatic + applicationRetryLimit: 20 git: hostname: github.com diff --git a/tests/all-medical-diagnosis-xray-init-industrial-edge-factory.expected.yaml b/tests/all-medical-diagnosis-xray-init-industrial-edge-factory.expected.yaml index b8cd50c3..d2f3f21a 100644 --- a/tests/all-medical-diagnosis-xray-init-industrial-edge-factory.expected.yaml +++ b/tests/all-medical-diagnosis-xray-init-industrial-edge-factory.expected.yaml @@ -12,6 +12,26 @@ data: #!/bin/bash oc create secret generic s3-secret-bck -n xraylab-1 --from-literal=AWS_ACCESS_KEY_ID=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=AccessKey --to=-) --from-literal=AWS_SECRET_ACCESS_KEY=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=SecretKey --to=-) --- +# Source: xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: wait-for-objectstore + namespace: xraylab-1 + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + wait-for-objectstore.sh: | + #!/bin/bash + # Get ODF version + ODFMINV=$(oc get subs -n openshift-storage odf-operator -o jsonpath='{.status.currentCSV}' | cut -d '.' -f3 ) + if [[ ${ODFMINV} -lt 13 ]] + then + oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + else + oc wait --for=jsonpath='{.status.phase}'=Ready cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + fi +--- # Source: xray-init/templates/s3-bucket-init/cm-s3-bucket-init.yaml kind: ConfigMap apiVersion: v1 @@ -134,6 +154,25 @@ rules: # Source: xray-init/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: view-odf-subs + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - operators.coreos.com + resources: + - subs + - subscriptions + verbs: + - get + - list + - watch +--- +# Source: xray-init/templates/rbac/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: view-odf-objectstoreusers annotations: @@ -188,6 +227,24 @@ roleRef: # Source: xray-init/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: view-odf-subs-rb + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: xraylab-1-sa + namespace: xraylab-1 + apiGroup: "" +roleRef: + kind: ClusterRole + name: view-odf-subs + apiGroup: rbac.authorization.k8s.io +--- +# Source: xray-init/templates/rbac/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: view-odf-storageclusters annotations: @@ -406,8 +463,17 @@ spec: - /bin/bash - -c - | - oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=900s + '/tmp/wait-for-objectstore.sh' name: wait-odf-cephobjectstore-complete + volumeMounts: + - mountPath: /tmp/wait-for-objectstore.sh + name: wait-for-objectstore + subPath: wait-for-objectstore.sh + volumes: + - name: wait-for-objectstore + configMap: + name: wait-for-objectstore + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never serviceAccount: xraylab-1-sa diff --git a/tests/all-medical-diagnosis-xray-init-industrial-edge-hub.expected.yaml b/tests/all-medical-diagnosis-xray-init-industrial-edge-hub.expected.yaml index b8cd50c3..d2f3f21a 100644 --- a/tests/all-medical-diagnosis-xray-init-industrial-edge-hub.expected.yaml +++ b/tests/all-medical-diagnosis-xray-init-industrial-edge-hub.expected.yaml @@ -12,6 +12,26 @@ data: #!/bin/bash oc create secret generic s3-secret-bck -n xraylab-1 --from-literal=AWS_ACCESS_KEY_ID=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=AccessKey --to=-) --from-literal=AWS_SECRET_ACCESS_KEY=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=SecretKey --to=-) --- +# Source: xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: wait-for-objectstore + namespace: xraylab-1 + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + wait-for-objectstore.sh: | + #!/bin/bash + # Get ODF version + ODFMINV=$(oc get subs -n openshift-storage odf-operator -o jsonpath='{.status.currentCSV}' | cut -d '.' -f3 ) + if [[ ${ODFMINV} -lt 13 ]] + then + oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + else + oc wait --for=jsonpath='{.status.phase}'=Ready cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + fi +--- # Source: xray-init/templates/s3-bucket-init/cm-s3-bucket-init.yaml kind: ConfigMap apiVersion: v1 @@ -134,6 +154,25 @@ rules: # Source: xray-init/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: view-odf-subs + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - operators.coreos.com + resources: + - subs + - subscriptions + verbs: + - get + - list + - watch +--- +# Source: xray-init/templates/rbac/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: view-odf-objectstoreusers annotations: @@ -188,6 +227,24 @@ roleRef: # Source: xray-init/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: view-odf-subs-rb + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: xraylab-1-sa + namespace: xraylab-1 + apiGroup: "" +roleRef: + kind: ClusterRole + name: view-odf-subs + apiGroup: rbac.authorization.k8s.io +--- +# Source: xray-init/templates/rbac/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: view-odf-storageclusters annotations: @@ -406,8 +463,17 @@ spec: - /bin/bash - -c - | - oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=900s + '/tmp/wait-for-objectstore.sh' name: wait-odf-cephobjectstore-complete + volumeMounts: + - mountPath: /tmp/wait-for-objectstore.sh + name: wait-for-objectstore + subPath: wait-for-objectstore.sh + volumes: + - name: wait-for-objectstore + configMap: + name: wait-for-objectstore + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never serviceAccount: xraylab-1-sa diff --git a/tests/all-medical-diagnosis-xray-init-medical-diagnosis-hub.expected.yaml b/tests/all-medical-diagnosis-xray-init-medical-diagnosis-hub.expected.yaml index b8cd50c3..d2f3f21a 100644 --- a/tests/all-medical-diagnosis-xray-init-medical-diagnosis-hub.expected.yaml +++ b/tests/all-medical-diagnosis-xray-init-medical-diagnosis-hub.expected.yaml @@ -12,6 +12,26 @@ data: #!/bin/bash oc create secret generic s3-secret-bck -n xraylab-1 --from-literal=AWS_ACCESS_KEY_ID=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=AccessKey --to=-) --from-literal=AWS_SECRET_ACCESS_KEY=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=SecretKey --to=-) --- +# Source: xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: wait-for-objectstore + namespace: xraylab-1 + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + wait-for-objectstore.sh: | + #!/bin/bash + # Get ODF version + ODFMINV=$(oc get subs -n openshift-storage odf-operator -o jsonpath='{.status.currentCSV}' | cut -d '.' -f3 ) + if [[ ${ODFMINV} -lt 13 ]] + then + oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + else + oc wait --for=jsonpath='{.status.phase}'=Ready cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + fi +--- # Source: xray-init/templates/s3-bucket-init/cm-s3-bucket-init.yaml kind: ConfigMap apiVersion: v1 @@ -134,6 +154,25 @@ rules: # Source: xray-init/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: view-odf-subs + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - operators.coreos.com + resources: + - subs + - subscriptions + verbs: + - get + - list + - watch +--- +# Source: xray-init/templates/rbac/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: view-odf-objectstoreusers annotations: @@ -188,6 +227,24 @@ roleRef: # Source: xray-init/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: view-odf-subs-rb + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: xraylab-1-sa + namespace: xraylab-1 + apiGroup: "" +roleRef: + kind: ClusterRole + name: view-odf-subs + apiGroup: rbac.authorization.k8s.io +--- +# Source: xray-init/templates/rbac/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: view-odf-storageclusters annotations: @@ -406,8 +463,17 @@ spec: - /bin/bash - -c - | - oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=900s + '/tmp/wait-for-objectstore.sh' name: wait-odf-cephobjectstore-complete + volumeMounts: + - mountPath: /tmp/wait-for-objectstore.sh + name: wait-for-objectstore + subPath: wait-for-objectstore.sh + volumes: + - name: wait-for-objectstore + configMap: + name: wait-for-objectstore + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never serviceAccount: xraylab-1-sa diff --git a/tests/all-medical-diagnosis-xray-init-naked.expected.yaml b/tests/all-medical-diagnosis-xray-init-naked.expected.yaml index 8e5e54f7..255c04b3 100644 --- a/tests/all-medical-diagnosis-xray-init-naked.expected.yaml +++ b/tests/all-medical-diagnosis-xray-init-naked.expected.yaml @@ -12,6 +12,26 @@ data: #!/bin/bash oc create secret generic s3-secret-bck -n xraylab-1 --from-literal=AWS_ACCESS_KEY_ID=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=AccessKey --to=-) --from-literal=AWS_SECRET_ACCESS_KEY=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=SecretKey --to=-) --- +# Source: xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: wait-for-objectstore + namespace: xraylab-1 + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + wait-for-objectstore.sh: | + #!/bin/bash + # Get ODF version + ODFMINV=$(oc get subs -n openshift-storage odf-operator -o jsonpath='{.status.currentCSV}' | cut -d '.' -f3 ) + if [[ ${ODFMINV} -lt 13 ]] + then + oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + else + oc wait --for=jsonpath='{.status.phase}'=Ready cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + fi +--- # Source: xray-init/templates/s3-bucket-init/cm-s3-bucket-init.yaml kind: ConfigMap apiVersion: v1 @@ -134,6 +154,25 @@ rules: # Source: xray-init/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: view-odf-subs + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - operators.coreos.com + resources: + - subs + - subscriptions + verbs: + - get + - list + - watch +--- +# Source: xray-init/templates/rbac/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: view-odf-objectstoreusers annotations: @@ -188,6 +227,24 @@ roleRef: # Source: xray-init/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: view-odf-subs-rb + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: xraylab-1-sa + namespace: xraylab-1 + apiGroup: "" +roleRef: + kind: ClusterRole + name: view-odf-subs + apiGroup: rbac.authorization.k8s.io +--- +# Source: xray-init/templates/rbac/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: view-odf-storageclusters annotations: @@ -406,8 +463,17 @@ spec: - /bin/bash - -c - | - oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=900s + '/tmp/wait-for-objectstore.sh' name: wait-odf-cephobjectstore-complete + volumeMounts: + - mountPath: /tmp/wait-for-objectstore.sh + name: wait-for-objectstore + subPath: wait-for-objectstore.sh + volumes: + - name: wait-for-objectstore + configMap: + name: wait-for-objectstore + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never serviceAccount: xraylab-1-sa diff --git a/tests/all-medical-diagnosis-xray-init-normal.expected.yaml b/tests/all-medical-diagnosis-xray-init-normal.expected.yaml index b8cd50c3..d2f3f21a 100644 --- a/tests/all-medical-diagnosis-xray-init-normal.expected.yaml +++ b/tests/all-medical-diagnosis-xray-init-normal.expected.yaml @@ -12,6 +12,26 @@ data: #!/bin/bash oc create secret generic s3-secret-bck -n xraylab-1 --from-literal=AWS_ACCESS_KEY_ID=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=AccessKey --to=-) --from-literal=AWS_SECRET_ACCESS_KEY=$(oc extract -n openshift-storage secret/rook-ceph-object-user-ocs-storagecluster-cephobjectstore-xraylab-1 --keys=SecretKey --to=-) --- +# Source: xray-init/templates/objectstore-user/cm-wait-for-objectstore.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: wait-for-objectstore + namespace: xraylab-1 + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + wait-for-objectstore.sh: | + #!/bin/bash + # Get ODF version + ODFMINV=$(oc get subs -n openshift-storage odf-operator -o jsonpath='{.status.currentCSV}' | cut -d '.' -f3 ) + if [[ ${ODFMINV} -lt 13 ]] + then + oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + else + oc wait --for=jsonpath='{.status.phase}'=Ready cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=100s + fi +--- # Source: xray-init/templates/s3-bucket-init/cm-s3-bucket-init.yaml kind: ConfigMap apiVersion: v1 @@ -134,6 +154,25 @@ rules: # Source: xray-init/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: view-odf-subs + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +rules: + - apiGroups: + - operators.coreos.com + resources: + - subs + - subscriptions + verbs: + - get + - list + - watch +--- +# Source: xray-init/templates/rbac/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: view-odf-objectstoreusers annotations: @@ -188,6 +227,24 @@ roleRef: # Source: xray-init/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: view-odf-subs-rb + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/sync-wave: "-15" +subjects: +- kind: ServiceAccount + name: xraylab-1-sa + namespace: xraylab-1 + apiGroup: "" +roleRef: + kind: ClusterRole + name: view-odf-subs + apiGroup: rbac.authorization.k8s.io +--- +# Source: xray-init/templates/rbac/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: view-odf-storageclusters annotations: @@ -406,8 +463,17 @@ spec: - /bin/bash - -c - | - oc wait --for=jsonpath='{.status.phase}'=Connected cephobjectstore/ocs-storagecluster-cephobjectstore -n openshift-storage --timeout=900s + '/tmp/wait-for-objectstore.sh' name: wait-odf-cephobjectstore-complete + volumeMounts: + - mountPath: /tmp/wait-for-objectstore.sh + name: wait-for-objectstore + subPath: wait-for-objectstore.sh + volumes: + - name: wait-for-objectstore + configMap: + name: wait-for-objectstore + defaultMode: 0755 dnsPolicy: ClusterFirst restartPolicy: Never serviceAccount: xraylab-1-sa diff --git a/tests/common-acm-industrial-edge-hub.expected.yaml b/tests/common-acm-industrial-edge-hub.expected.yaml index f9772238..d54a8db6 100644 --- a/tests/common-acm-industrial-edge-hub.expected.yaml +++ b/tests/common-acm-industrial-edge-hub.expected.yaml @@ -10,6 +10,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -245,6 +246,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment diff --git a/tests/common-acm-medical-diagnosis-hub.expected.yaml b/tests/common-acm-medical-diagnosis-hub.expected.yaml index 5e064480..6e3eedff 100644 --- a/tests/common-acm-medical-diagnosis-hub.expected.yaml +++ b/tests/common-acm-medical-diagnosis-hub.expected.yaml @@ -10,6 +10,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -236,6 +237,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment diff --git a/tests/common-acm-naked.expected.yaml b/tests/common-acm-naked.expected.yaml index 86d7277d..cb73d733 100644 --- a/tests/common-acm-naked.expected.yaml +++ b/tests/common-acm-naked.expected.yaml @@ -13,6 +13,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/ocp-gitops-policy.yaml diff --git a/tests/common-acm-normal.expected.yaml b/tests/common-acm-normal.expected.yaml index 79a9dde4..7c7ac7d5 100644 --- a/tests/common-acm-normal.expected.yaml +++ b/tests/common-acm-normal.expected.yaml @@ -399,6 +399,7 @@ metadata: namespace: open-cluster-management annotations: argocd.argoproj.io/sync-wave: "-1" + installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }' spec: {} --- # Source: acm/templates/policies/acm-hub-ca-policy.yaml @@ -654,6 +655,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment @@ -746,6 +749,8 @@ spec: automated: prune: false selfHeal: true + retry: + limit: 20 ignoreDifferences: - group: apps kind: Deployment diff --git a/tests/common-clustergroup-industrial-edge-factory.expected.yaml b/tests/common-clustergroup-industrial-edge-factory.expected.yaml index 3a326973..34255187 100644 --- a/tests/common-clustergroup-industrial-edge-factory.expected.yaml +++ b/tests/common-clustergroup-industrial-edge-factory.expected.yaml @@ -146,6 +146,7 @@ data: localClusterDomain: apps.region.example.com namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Automatic useCSV: false @@ -388,6 +389,8 @@ spec: } syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -434,6 +437,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/argocd.yaml @@ -449,6 +454,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -497,15 +524,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin diff --git a/tests/common-clustergroup-industrial-edge-hub.expected.yaml b/tests/common-clustergroup-industrial-edge-hub.expected.yaml index aedb4ffb..3e0a7153 100644 --- a/tests/common-clustergroup-industrial-edge-hub.expected.yaml +++ b/tests/common-clustergroup-industrial-edge-hub.expected.yaml @@ -307,6 +307,7 @@ data: localClusterDomain: apps.region.example.com namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Automatic useCSV: false @@ -719,6 +720,8 @@ spec: ] syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -765,6 +768,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -811,6 +816,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -887,6 +894,8 @@ spec: ] syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -933,6 +942,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -979,6 +990,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -1003,6 +1016,8 @@ spec: } syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -1067,6 +1082,8 @@ spec: value: "1.10.3-ubi" syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/argocd.yaml @@ -1082,6 +1099,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -1130,15 +1169,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin diff --git a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml b/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml index 5a62327c..83024530 100644 --- a/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml +++ b/tests/common-clustergroup-medical-diagnosis-hub.expected.yaml @@ -294,6 +294,7 @@ data: localClusterDomain: apps.region.example.com namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Automatic useCSV: false @@ -655,6 +656,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -701,6 +704,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -747,6 +752,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -793,6 +800,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -839,6 +848,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -885,6 +896,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -931,6 +944,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -995,6 +1010,8 @@ spec: value: "1.10.3-ubi" syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -1041,6 +1058,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -1087,6 +1106,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -1142,6 +1163,8 @@ spec: ] syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -1197,6 +1220,8 @@ spec: ] syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -1243,6 +1268,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/argocd.yaml @@ -1258,6 +1285,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -1306,15 +1355,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin diff --git a/tests/common-clustergroup-naked.expected.yaml b/tests/common-clustergroup-naked.expected.yaml index f0c12937..6a79b27d 100644 --- a/tests/common-clustergroup-naked.expected.yaml +++ b/tests/common-clustergroup-naked.expected.yaml @@ -66,6 +66,7 @@ data: enabled: all global: options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Automatic useCSV: true @@ -266,6 +267,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -314,15 +337,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin diff --git a/tests/common-clustergroup-normal.expected.yaml b/tests/common-clustergroup-normal.expected.yaml index 9e1c7abc..dff1e944 100644 --- a/tests/common-clustergroup-normal.expected.yaml +++ b/tests/common-clustergroup-normal.expected.yaml @@ -3,9 +3,14 @@ apiVersion: v1 kind: Namespace metadata: + name: open-cluster-management labels: argocd.argoproj.io/managed-by: mypattern-example - name: open-cluster-management + kubernetes.io/os: "linux" + openshift.io/node-selector: "" + annotations: + openshift.io/cluster-monitoring: "true" + owner: "namespace owner" spec: --- # Source: pattern-clustergroup/templates/core/namespaces.yaml @@ -17,6 +22,15 @@ metadata: name: application-ci spec: --- +# Source: pattern-clustergroup/templates/core/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + labels: + argocd.argoproj.io/managed-by: mypattern-example + name: excludes-ci +spec: +--- # Source: pattern-clustergroup/templates/imperative/namespace.yaml apiVersion: v1 kind: Namespace @@ -143,8 +157,17 @@ data: name: argo-edge name: example namespaces: - - open-cluster-management + - open-cluster-management: + annotations: + openshift.io/cluster-monitoring: "true" + owner: namespace owner + labels: + kubernetes.io/os: linux + openshift.io/node-selector: "" - application-ci + - excludes-ci + operatorgroupExcludes: + - excludes-ci projects: - datacenter subscriptions: @@ -176,6 +199,7 @@ data: multiClusterTarget: all namespace: pattern-namespace options: + applicationRetryLimit: 20 installPlanApproval: Automatic syncPolicy: Automatic useCSV: false @@ -546,6 +570,8 @@ spec: ] syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/applications.yaml @@ -592,6 +618,8 @@ spec: value: apps.region.example.com syncPolicy: automated: {} + retry: + limit: 20 # selfHeal: true --- # Source: pattern-clustergroup/templates/plumbing/hosted-sites.yaml @@ -847,6 +875,28 @@ metadata: annotations: argocd.argoproj.io/compare-options: IgnoreExtraneous spec: +# Adding health checks to argocd to prevent pvc resources +# that aren't bound state from blocking deployments + resourceCustomizations: | + PersistentVolumeClaim: + health.lua: | + hs = {} + if obj.status ~= nil then + if obj.status.phase ~= nil then + if obj.status.phase == "Pending" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + elseif obj.status.phase == "Bound" then + hs.status = "Healthy" + hs.message = obj.status.phase + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for PVC" + return hs applicationInstanceLabelKey: argocd.argoproj.io/instance # Not the greatest way to pass git/quay info to sub-applications, but it will do until # we can support helmChart with kustomize @@ -895,15 +945,17 @@ spec: requests: cpu: 500m memory: 2Gi - dex: - openShiftOAuth: true - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 250m - memory: 128Mi + sso: + provider: dex + dex: + openShiftOAuth: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 250m + memory: 128Mi initialSSHKnownHosts: {} rbac: defaultPolicy: role:admin diff --git a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml index 87362544..a7235b2d 100644 --- a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml +++ b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: common-golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.3 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: common-golang-external-secrets + app.kubernetes.io/version: "v0.8.3" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,19 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8252,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8272,19 @@ spec: spec: serviceAccountName: common-golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8300,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8323,16 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml index 64450598..fd1707a6 100644 --- a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml +++ b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: common-golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.3 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: common-golang-external-secrets + app.kubernetes.io/version: "v0.8.3" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,19 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8252,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8272,19 @@ spec: spec: serviceAccountName: common-golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8300,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8323,16 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml index 64450598..fd1707a6 100644 --- a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: common-golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.3 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: common-golang-external-secrets + app.kubernetes.io/version: "v0.8.3" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,19 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8252,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8272,19 @@ spec: spec: serviceAccountName: common-golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8300,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8323,16 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-naked.expected.yaml b/tests/common-golang-external-secrets-naked.expected.yaml index e73a1f41..49d8f63d 100644 --- a/tests/common-golang-external-secrets-naked.expected.yaml +++ b/tests/common-golang-external-secrets-naked.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: common-golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.3 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: common-golang-external-secrets + app.kubernetes.io/version: "v0.8.3" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,19 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8252,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8272,19 @@ spec: spec: serviceAccountName: common-golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8300,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8323,16 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-golang-external-secrets-normal.expected.yaml b/tests/common-golang-external-secrets-normal.expected.yaml index 64450598..fd1707a6 100644 --- a/tests/common-golang-external-secrets-normal.expected.yaml +++ b/tests/common-golang-external-secrets-normal.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -67,8 +67,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -209,8 +208,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -500,6 +498,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -664,8 +665,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -705,7 +705,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -844,6 +844,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -877,11 +894,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -1114,7 +1127,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -1854,7 +1867,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1993,6 +2006,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -2026,11 +2056,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -2114,6 +2140,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -2344,7 +2373,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -2784,6 +2813,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -2799,7 +2841,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -2832,6 +2873,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -3258,8 +3387,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -3387,8 +3515,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -3586,6 +3713,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -3888,6 +4023,9 @@ spec: engineVersion: default: v2 type: string + mergePolicy: + default: Replace + type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. properties: @@ -3957,6 +4095,14 @@ spec: type: object status: properties: + binding: + description: Binding represents a servicebinding.io Provisioned Service reference to the secret + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic conditions: items: properties: @@ -4006,8 +4152,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4038,6 +4183,9 @@ spec: spec: description: FakeSpec contains the static data. properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string data: additionalProperties: type: string @@ -4065,8 +4213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4174,8 +4321,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -4253,8 +4399,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -4299,6 +4444,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4424,6 +4572,9 @@ spec: remoteRef: description: Remote Refs to push to providers. properties: + property: + description: Name of the property in the resulting secret + type: string remoteKey: description: Name of the resulting provider secret. type: string @@ -4468,8 +4619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -4509,7 +4659,7 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -4648,6 +4798,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -4681,11 +4848,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -4918,7 +5081,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -5658,7 +5821,7 @@ spec: type: object type: array controller: - description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property' + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' type: string provider: description: Used to configure the provider. Only one provider may be set @@ -5797,6 +5960,23 @@ spec: auth: description: AlibabaAuth contains a secretRef for credentials. properties: + rrsa: + description: Authenticate against Alibaba using RRSA. + properties: + oidcProviderArn: + type: string + oidcTokenFilePath: + type: string + roleArn: + type: string + sessionName: + type: string + required: + - oidcProviderArn + - oidcTokenFilePath + - roleArn + - sessionName + type: object secretRef: description: AlibabaAuthSecretRef holds secret references for Alibaba credentials. properties: @@ -5830,11 +6010,7 @@ spec: - accessKeyIDSecretRef - accessKeySecretSecretRef type: object - required: - - secretRef type: object - endpoint: - type: string regionID: description: Alibaba Region to be used for the provider type: string @@ -5918,6 +6094,9 @@ spec: type: object type: object type: object + externalID: + description: AWS External ID set on assumed IAM roles + type: string region: description: AWS Region to be used for the provider type: string @@ -6148,7 +6327,7 @@ spec: type: string type: object gitlab: - description: Gitlab configures this store to sync secrets using Gitlab Variables provider + description: GitLab configures this store to sync secrets using GitLab Variables provider properties: auth: description: Auth configures how secret-manager authenticates with a GitLab instance. @@ -6588,6 +6767,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -6603,7 +6795,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -6636,6 +6827,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7062,8 +7341,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -7092,6 +7370,9 @@ spec: type: object spec: properties: + controller: + description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + type: string method: description: Vault API method to use (GET/POST/other) type: string @@ -7117,6 +7398,19 @@ spec: roleId: description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. type: string + roleRef: + description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object secretRef: description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. properties: @@ -7132,7 +7426,6 @@ spec: type: object required: - path - - roleId - secretRef type: object cert: @@ -7165,6 +7458,94 @@ spec: type: string type: object type: object + iam: + description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + properties: + externalID: + description: AWS External ID set on assumed IAM roles + type: string + jwt: + description: Specify a service account with IRSA enabled + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + type: object + path: + description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"' + type: string + region: + description: AWS region + type: string + role: + description: This is the AWS role to be assumed before talking to vault + type: string + secretRef: + description: Specify credentials in a Secret object + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + type: object + vaultAwsIamServerID: + description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws' + type: string + vaultRole: + description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine + type: string + required: + - vaultRole + type: object jwt: description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method properties: @@ -7360,6 +7741,10 @@ spec: - auth - server type: object + resultType: + default: Data + description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + type: string required: - path - provider @@ -7386,10 +7771,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7437,6 +7822,15 @@ rules: - "watch" - "update" - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7444,10 +7838,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7553,10 +7947,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -7573,6 +7967,19 @@ rules: - "get" - "watch" - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "get" + - "watch" + - "list" --- # Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7580,10 +7987,10 @@ kind: ClusterRole metadata: name: common-golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -7601,6 +8008,43 @@ rules: - "deletecollection" - "patch" - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "passwords" + - "vaultdynamicsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: common-golang-external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + helm.sh/chart: external-secrets-0.8.3 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: common-golang-external-secrets + app.kubernetes.io/version: "v0.8.3" + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "get" + - "list" + - "watch" --- # Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -7608,10 +8052,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7628,10 +8072,10 @@ kind: ClusterRoleBinding metadata: name: common-golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7664,10 +8108,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -7703,10 +8147,10 @@ metadata: name: common-golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -7724,10 +8168,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -7748,10 +8192,10 @@ metadata: name: common-golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7768,9 +8212,19 @@ spec: spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true + hostNetwork: false containers: - name: cert-controller - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -7798,10 +8252,10 @@ metadata: name: common-golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7818,9 +8272,19 @@ spec: spec: serviceAccountName: common-golang-external-secrets automountServiceAccountToken: true + hostNetwork: false containers: - name: external-secrets - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -7836,10 +8300,10 @@ metadata: name: common-golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.8.1 + helm.sh/chart: external-secrets-0.8.3 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: common-golang-external-secrets - app.kubernetes.io/version: "v0.8.1" + app.kubernetes.io/version: "v0.8.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -7859,7 +8323,16 @@ spec: automountServiceAccountToken: true containers: - name: webhook - image: "ghcr.io/external-secrets/external-secrets:v0.8.1-ubi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml index 63889f70..8649bf1c 100644 --- a/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml +++ b/tests/common-hashicorp-vault-industrial-edge-factory.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: common-hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: common-hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml b/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml index 63889f70..8649bf1c 100644 --- a/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml +++ b/tests/common-hashicorp-vault-industrial-edge-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: common-hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: common-hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml b/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml index 63889f70..8649bf1c 100644 --- a/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml +++ b/tests/common-hashicorp-vault-medical-diagnosis-hub.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: common-hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: common-hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-naked.expected.yaml b/tests/common-hashicorp-vault-naked.expected.yaml index d0d10b05..682eeb67 100644 --- a/tests/common-hashicorp-vault-naked.expected.yaml +++ b/tests/common-hashicorp-vault-naked.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: common-hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: common-hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-hashicorp-vault-normal.expected.yaml b/tests/common-hashicorp-vault-normal.expected.yaml index 63889f70..8649bf1c 100644 --- a/tests/common-hashicorp-vault-normal.expected.yaml +++ b/tests/common-hashicorp-vault-normal.expected.yaml @@ -6,7 +6,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -18,7 +18,7 @@ metadata: name: common-hashicorp-vault-config namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -42,7 +42,7 @@ kind: ClusterRoleBinding metadata: name: common-hashicorp-vault-server-binding labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -63,7 +63,7 @@ metadata: name: common-hashicorp-vault-internal namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -95,7 +95,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -126,7 +126,7 @@ metadata: name: common-hashicorp-vault-ui namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault-ui app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -168,7 +168,7 @@ spec: template: metadata: labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault component: server @@ -205,7 +205,7 @@ spec: containers: - name: vault - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent command: - "/bin/sh" @@ -346,7 +346,7 @@ metadata: name: common-hashicorp-vault namespace: default labels: - helm.sh/chart: vault-0.23.0 + helm.sh/chart: vault-0.24.1 app.kubernetes.io/name: vault app.kubernetes.io/instance: common-hashicorp-vault app.kubernetes.io/managed-by: Helm @@ -373,7 +373,7 @@ spec: containers: - name: common-hashicorp-vault-server-test - image: registry.connect.redhat.com/hashicorp/vault:1.12.1-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR diff --git a/tests/common-letsencrypt-industrial-edge-factory.expected.yaml b/tests/common-letsencrypt-industrial-edge-factory.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/tests/common-letsencrypt-industrial-edge-factory.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/tests/common-letsencrypt-industrial-edge-hub.expected.yaml b/tests/common-letsencrypt-industrial-edge-hub.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/tests/common-letsencrypt-industrial-edge-hub.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/tests/common-letsencrypt-medical-diagnosis-hub.expected.yaml b/tests/common-letsencrypt-medical-diagnosis-hub.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/tests/common-letsencrypt-medical-diagnosis-hub.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/tests/common-letsencrypt-naked.expected.yaml b/tests/common-letsencrypt-naked.expected.yaml new file mode 100644 index 00000000..73aa94a4 --- /dev/null +++ b/tests/common-letsencrypt-naked.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.example.com' + usages: + - server auth + dnsNames: + - api.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.example.com' + usages: + - server auth + dnsNames: + - '*.apps.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/tests/common-letsencrypt-normal.expected.yaml b/tests/common-letsencrypt-normal.expected.yaml new file mode 100644 index 00000000..b5aded2f --- /dev/null +++ b/tests/common-letsencrypt-normal.expected.yaml @@ -0,0 +1,202 @@ +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager-operator +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager +spec: +--- +# Source: letsencrypt/templates/namespaces.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: letsencrypt +spec: +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + servingCerts: + namedCertificates: + - names: + - api.region.example.com + servingCertificate: + name: api-validated-patterns-letsencrypt-cert +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: openshift-gitops + namespace: openshift-gitops + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + server: + route: + enabled: true + tls: + termination: reencrypt +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + managementState: "Managed" + unsupportedConfigOverrides: + # Here's an example to supply custom DNS settings. + controller: + args: + - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" + - "--dns01-recursive-nameservers-only" +--- +# Source: letsencrypt/templates/api-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-validated-patterns-cert + namespace: openshift-config + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: api-validated-patterns-letsencrypt-cert + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: 'api.region.example.com' + usages: + - server auth + dnsNames: + - api.region.example.com + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/wildcard-cert.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lets-encrypt-certs + namespace: openshift-ingress + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + secretName: lets-encrypt-wildcart-cert-tls + duration: 168h0m0s + renewBefore: 28h0m0s + commonName: '*.apps.region.example.com' + usages: + - server auth + dnsNames: + - '*.apps.region.example.com' + issuerRef: + name: validated-patterns-issuer + kind: ClusterIssuer + subject: + organizations: + - hybrid-cloud-patterns.io +--- +# Source: letsencrypt/templates/issuer.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: validated-patterns-issuer + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: test@example.com + privateKeySecretRef: + name: validated-patterns-issuer-account-key + solvers: + - selector: {} + dns01: + route53: + region: eu-central-1 + accessKeyIDSecretRef: + name: cert-manager-dns-credentials + key: aws_access_key_id + secretAccessKeySecretRef: + name: cert-manager-dns-credentials + key: aws_secret_access_key +--- +# Source: letsencrypt/templates/credentials-request.yaml +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: letsencrypt-cert-manager-dns + namespace: openshift-cloud-credential-operator + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - 'route53:ChangeResourceRecordSets' + - 'route53:GetChange' + - 'route53:ListHostedZonesByName' + - 'route53:ListHostedZones' + effect: Allow + resource: '*' + secretRef: + name: cert-manager-dns-credentials + namespace: cert-manager +--- +# Source: letsencrypt/templates/default-routes.yaml +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true +spec: + routeAdmission: + wildcardPolicy: WildcardsAllowed + defaultCertificate: + name: lets-encrypt-wildcart-cert-tls +# Patch the cluster-wide argocd instance so it uses the ingress tls cert +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: cert-manager-operator + namespace: cert-manager-operator +spec: + targetNamespaces: + - cert-manager-operator +--- +# Source: letsencrypt/templates/cert-manager-installation.yaml +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-cert-manager-operator + namespace: cert-manager-operator +spec: + channel: "stable-v1" + installPlanApproval: Automatic + name: openshift-cert-manager-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/tests/common-operator-install-industrial-edge-factory.expected.yaml b/tests/common-operator-install-industrial-edge-factory.expected.yaml index 86216703..3a65cc7c 100644 --- a/tests/common-operator-install-industrial-edge-factory.expected.yaml +++ b/tests/common-operator-install-industrial-edge-factory.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/tests/common-operator-install-industrial-edge-hub.expected.yaml b/tests/common-operator-install-industrial-edge-hub.expected.yaml index 86216703..3a65cc7c 100644 --- a/tests/common-operator-install-industrial-edge-hub.expected.yaml +++ b/tests/common-operator-install-industrial-edge-hub.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/tests/common-operator-install-medical-diagnosis-hub.expected.yaml b/tests/common-operator-install-medical-diagnosis-hub.expected.yaml index 86216703..3a65cc7c 100644 --- a/tests/common-operator-install-medical-diagnosis-hub.expected.yaml +++ b/tests/common-operator-install-medical-diagnosis-hub.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/tests/common-operator-install-naked.expected.yaml b/tests/common-operator-install-naked.expected.yaml index 1289183d..beabcc82 100644 --- a/tests/common-operator-install-naked.expected.yaml +++ b/tests/common-operator-install-naked.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1 diff --git a/tests/common-operator-install-normal.expected.yaml b/tests/common-operator-install-normal.expected.yaml index 86216703..3a65cc7c 100644 --- a/tests/common-operator-install-normal.expected.yaml +++ b/tests/common-operator-install-normal.expected.yaml @@ -12,6 +12,7 @@ spec: targetRevision: main gitOpsSpec: operatorChannel: gitops-1.8 + operatorSource: redhat-operators --- # Source: pattern-install/templates/subscription.yaml apiVersion: operators.coreos.com/v1alpha1