diff --git a/kubernetes-external-secrets/kubernetes-client.io_externalsecrets_crd.yaml b/kubernetes-external-secrets/kubernetes-client.io_externalsecrets_crd.yaml deleted file mode 100644 index aa16ca76d89..00000000000 --- a/kubernetes-external-secrets/kubernetes-client.io_externalsecrets_crd.yaml +++ /dev/null @@ -1,141 +0,0 @@ -# Source: https://github.com/external-secrets/kubernetes-external-secrets/blob/master/charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: externalsecrets.kubernetes-client.io - annotations: - # used in e2e testing - app.kubernetes.io/managed-by: helm -spec: - group: kubernetes-client.io - version: v1 - scope: Namespaced - - names: - shortNames: - - es - kind: ExternalSecret - plural: externalsecrets - singular: externalsecret - - additionalPrinterColumns: - - JSONPath: .status.lastSync - name: Last Sync - type: date - - JSONPath: .status.status - name: status - type: string - - JSONPath: .metadata.creationTimestamp - name: Age - type: date - - validation: - openAPIV3Schema: - properties: - spec: - type: object - properties: - template: - description: Template which will be deep merged without mutating - any existing fields. into generated secret, can be used to - set for example annotations or type on the generated secret - type: object - backendType: - type: string - enum: - - secretsManager - - systemManager - - vault - - azureKeyVault - - gcpSecretsManager - - alicloudSecretsManager - - ibmcloudSecretsManager - vaultRole: - type: string - vaultMountPoint: - type: string - kvVersion: - description: Vault K/V version either 1 or 2, default = 2 - type: integer - minimum: 1 - maximum: 2 - keyVaultName: - type: string - key: - type: string - dataFrom: - type: array - items: - type: string - data: - type: array - items: - type: object - anyOf: - - properties: - key: - description: Secret key in backend - type: string - name: - description: Name set for this key in the generated secret - type: string - property: - description: Property to extract if secret in backend is a JSON object - isBinary: - description: >- - Whether the backend secret shall be treated as binary data - represented by a base64-encoded string. You must set this to true - for any base64-encoded binary data in the backend - to ensure it - is not encoded in base64 again. Default is false. - type: boolean - required: - - key - - name - - properties: - path: - description: >- - Path from SSM to scrape secrets - This will fetch all secrets and use the key from the secret as variable name - recursive: - description: Allow to recurse thru all child keys on a given path - type: boolean - required: - - path - roleArn: - type: string - oneOf: - - properties: - backendType: - enum: - - secretsManager - - systemManager - - properties: - backendType: - enum: - - vault - - properties: - backendType: - enum: - - azureKeyVault - required: - - keyVaultName - - properties: - backendType: - enum: - - gcpSecretsManager - - properties: - backendType: - enum: - - alicloudSecretsManager - - properties: - backendType: - enum: - - ibmcloudSecretsManager - anyOf: - - required: - - data - - required: - - dataFrom - subresources: - status: {} diff --git a/kubernetes-external-secrets/kubernetes-external-secrets-serviceaccounts.yaml b/kubernetes-external-secrets/kubernetes-external-secrets-serviceaccounts.yaml new file mode 100644 index 00000000000..c7fbf08bb33 --- /dev/null +++ b/kubernetes-external-secrets/kubernetes-external-secrets-serviceaccounts.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + iam.gke.io/gcp-service-account: kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com + name: kubernetes-external-secrets + namespace: kubernetes-external-secrets diff --git a/kubernetes-external-secrets/deployment.yaml b/kubernetes-external-secrets/kubernetes-external-secrets.yaml similarity index 90% rename from kubernetes-external-secrets/deployment.yaml rename to kubernetes-external-secrets/kubernetes-external-secrets.yaml index 98e89e116ce..35daf395f94 100644 --- a/kubernetes-external-secrets/deployment.yaml +++ b/kubernetes-external-secrets/kubernetes-external-secrets.yaml @@ -1,9 +1,8 @@ - --- apiVersion: v1 kind: Service metadata: - name: kubernetes-external-secrets + name: kubernetes-external-secrets-metrics namespace: kubernetes-external-secrets labels: app: kubernetes-external-secrets @@ -36,14 +35,14 @@ spec: serviceAccountName: kubernetes-external-secrets containers: - name: kubernetes-external-secrets - image: "ghcr.io/external-secrets/kubernetes-external-secrets:7.0.1" - imagePullPolicy: Always + image: "ghcr.io/external-secrets/kubernetes-external-secrets:8.1.2" + imagePullPolicy: IfNotPresent ports: - name: prometheus containerPort: 3001 env: - name: "LOG_LEVEL" - value: "debug" # TODO(ameukam): switch to info + value: "debug" - name: "LOG_MESSAGE_KEY" value: "msg" - name: "METRICS_PORT" @@ -55,3 +54,4 @@ spec: # Params for env vars populated from k8s secrets securityContext: runAsNonRoot: true + diff --git a/kubernetes-external-secrets/kubernetes-external-secrets_crd.yaml b/kubernetes-external-secrets/kubernetes-external-secrets_crd.yaml new file mode 100644 index 00000000000..dc8e6bc6034 --- /dev/null +++ b/kubernetes-external-secrets/kubernetes-external-secrets_crd.yaml @@ -0,0 +1,206 @@ +# From https://github.com/external-secrets/kubernetes-external-secrets/blob/8.1.2/charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalsecrets.kubernetes-client.io + annotations: + # used in e2e testing + app.kubernetes.io/managed-by: helm +spec: + group: kubernetes-client.io + scope: Namespaced + + preserveUnknownFields: false + + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + required: + - spec + type: object + properties: + spec: + type: object + properties: + controllerId: + description: The ID of controller instance that manages this ExternalSecret. + This is needed in case there is more than a KES controller instances within the cluster. + type: string + type: + type: string + description: >- + DEPRECATED: Use spec.template.type + template: + description: Template which will be deep merged without mutating + any existing fields. into generated secret, can be used to + set for example annotations or type on the generated secret + type: object + x-kubernetes-preserve-unknown-fields: true + backendType: + description: >- + Determines which backend to use for fetching secrets + type: string + enum: + - secretsManager + - systemManager + - vault + - azureKeyVault + - gcpSecretsManager + - alicloudSecretsManager + - ibmcloudSecretsManager + - akeyless + vaultRole: + description: >- + Used by: vault + type: string + vaultMountPoint: + description: >- + Used by: vault + type: string + kvVersion: + description: Vault K/V version either 1 or 2, default = 2 + type: integer + minimum: 1 + maximum: 2 + keyVaultName: + description: >- + Used by: azureKeyVault + type: string + dataFrom: + type: array + items: + type: string + data: + type: array + items: + type: object + properties: + key: + description: Secret key in backend + type: string + name: + description: Name set for this key in the generated secret + type: string + property: + description: Property to extract if secret in backend is a JSON object + type: string + isBinary: + description: >- + Whether the backend secret shall be treated as binary data + represented by a base64-encoded string. You must set this to true + for any base64-encoded binary data in the backend - to ensure it + is not encoded in base64 again. Default is false. + type: boolean + path: + description: >- + Path from SSM to scrape secrets + This will fetch all secrets and use the key from the secret as variable name + type: string + recursive: + description: Allow to recurse thru all child keys on a given path, default false + type: boolean + secretType: + description: >- + Used by: ibmcloudSecretsManager + Type of secret - one of username_password, iam_credentials or arbitrary + type: string + version: + description: >- + Used by: gcpSecretsManager + type: string + x-kubernetes-int-or-string: true + versionStage: + description: >- + Used by: alicloudSecretsManager, secretsManager + type: string + versionId: + description: >- + Used by: secretsManager + type: string + oneOf: + - required: + - key + - name + - required: + - path + roleArn: + type: string + description: >- + Used by: alicloudSecretsManager, secretsManager, systemManager + region: + type: string + description: >- + Used by: secretsManager, systemManager + projectId: + type: string + description: >- + Used by: gcpSecretsManager + oneOf: + - properties: + backendType: + enum: + - secretsManager + - systemManager + - properties: + backendType: + enum: + - vault + - properties: + backendType: + enum: + - azureKeyVault + required: + - keyVaultName + - properties: + backendType: + enum: + - gcpSecretsManager + - properties: + backendType: + enum: + - alicloudSecretsManager + - properties: + backendType: + enum: + - ibmcloudSecretsManager + - properties: + backendType: + enum: + - akeyless + anyOf: + - required: + - data + - required: + - dataFrom + status: + type: object + properties: + lastSync: + type: string + status: + type: string + observedGeneration: + type: number + additionalPrinterColumns: + - jsonPath: .status.lastSync + name: Last Sync + type: date + - jsonPath: .status.status + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + + names: + shortNames: + - es + kind: ExternalSecret + plural: externalsecrets + singular: externalsecret diff --git a/kubernetes-external-secrets/rbac.yaml b/kubernetes-external-secrets/kubernetes-external-secrets_rbac.yaml similarity index 79% rename from kubernetes-external-secrets/rbac.yaml rename to kubernetes-external-secrets/kubernetes-external-secrets_rbac.yaml index 5c80d170eed..22119ef0810 100644 --- a/kubernetes-external-secrets/rbac.yaml +++ b/kubernetes-external-secrets/kubernetes-external-secrets_rbac.yaml @@ -1,12 +1,4 @@ --- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kubernetes-external-secrets - namespace: kubernetes-external-secrets - annotations: - iam.gke.io/gcp-service-account: kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -30,14 +22,13 @@ rules: - apiGroups: ["kubernetes-client.io"] resources: ["externalsecrets/status"] verbs: ["get", "update"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-external-secrets + labels: + app: kubernetes-external-secrets roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -51,6 +42,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-external-secrets-auth + labels: + app: kubernetes-external-secrets roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole