From d2339696b4f5ae8dce2e8ef7170f256f055f6aec Mon Sep 17 00:00:00 2001 From: Aaron Crickenberger Date: Tue, 15 Jun 2021 17:15:25 -0400 Subject: [PATCH 1/2] kubernetes-external-secrets: mv to match filenames in prow --- .../{deployment.yaml => kubernetes-external-secrets.yaml} | 0 ...ernalsecrets_crd.yaml => kubernetes-external-secrets_crd.yaml} | 0 .../{rbac.yaml => kubernetes-external-secrets_rbac.yaml} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename kubernetes-external-secrets/{deployment.yaml => kubernetes-external-secrets.yaml} (100%) rename kubernetes-external-secrets/{kubernetes-client.io_externalsecrets_crd.yaml => kubernetes-external-secrets_crd.yaml} (100%) rename kubernetes-external-secrets/{rbac.yaml => kubernetes-external-secrets_rbac.yaml} (100%) diff --git a/kubernetes-external-secrets/deployment.yaml b/kubernetes-external-secrets/kubernetes-external-secrets.yaml similarity index 100% rename from kubernetes-external-secrets/deployment.yaml rename to kubernetes-external-secrets/kubernetes-external-secrets.yaml diff --git a/kubernetes-external-secrets/kubernetes-client.io_externalsecrets_crd.yaml b/kubernetes-external-secrets/kubernetes-external-secrets_crd.yaml similarity index 100% rename from kubernetes-external-secrets/kubernetes-client.io_externalsecrets_crd.yaml rename to kubernetes-external-secrets/kubernetes-external-secrets_crd.yaml diff --git a/kubernetes-external-secrets/rbac.yaml b/kubernetes-external-secrets/kubernetes-external-secrets_rbac.yaml similarity index 100% rename from kubernetes-external-secrets/rbac.yaml rename to kubernetes-external-secrets/kubernetes-external-secrets_rbac.yaml From bd32c9e82de0594d28301bbcf015dac1f0119213 Mon Sep 17 00:00:00 2001 From: Aaron Crickenberger Date: Tue, 15 Jun 2021 17:17:02 -0400 Subject: [PATCH 2/2] kubernetes-external-secrets: upgrade to v8.1.2 Changes from prow's copy: - don't expose kubernetes-external-secrets-metrics for now (want to redo ensure-static-ips.sh as terraform in a different PR) - different service account --- ...etes-external-secrets-serviceaccounts.yaml | 8 + .../kubernetes-external-secrets.yaml | 10 +- .../kubernetes-external-secrets_crd.yaml | 275 +++++++++++------- .../kubernetes-external-secrets_rbac.yaml | 15 +- 4 files changed, 187 insertions(+), 121 deletions(-) create mode 100644 kubernetes-external-secrets/kubernetes-external-secrets-serviceaccounts.yaml diff --git a/kubernetes-external-secrets/kubernetes-external-secrets-serviceaccounts.yaml b/kubernetes-external-secrets/kubernetes-external-secrets-serviceaccounts.yaml new file mode 100644 index 00000000000..c7fbf08bb33 --- /dev/null +++ b/kubernetes-external-secrets/kubernetes-external-secrets-serviceaccounts.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + iam.gke.io/gcp-service-account: kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com + name: kubernetes-external-secrets + namespace: kubernetes-external-secrets diff --git a/kubernetes-external-secrets/kubernetes-external-secrets.yaml b/kubernetes-external-secrets/kubernetes-external-secrets.yaml index 98e89e116ce..35daf395f94 100644 --- a/kubernetes-external-secrets/kubernetes-external-secrets.yaml +++ b/kubernetes-external-secrets/kubernetes-external-secrets.yaml @@ -1,9 +1,8 @@ - --- apiVersion: v1 kind: Service metadata: - name: kubernetes-external-secrets + name: kubernetes-external-secrets-metrics namespace: kubernetes-external-secrets labels: app: kubernetes-external-secrets @@ -36,14 +35,14 @@ spec: serviceAccountName: kubernetes-external-secrets containers: - name: kubernetes-external-secrets - image: "ghcr.io/external-secrets/kubernetes-external-secrets:7.0.1" - imagePullPolicy: Always + image: "ghcr.io/external-secrets/kubernetes-external-secrets:8.1.2" + imagePullPolicy: IfNotPresent ports: - name: prometheus containerPort: 3001 env: - name: "LOG_LEVEL" - value: "debug" # TODO(ameukam): switch to info + value: "debug" - name: "LOG_MESSAGE_KEY" value: "msg" - name: "METRICS_PORT" @@ -55,3 +54,4 @@ spec: # Params for env vars populated from k8s secrets securityContext: runAsNonRoot: true + diff --git a/kubernetes-external-secrets/kubernetes-external-secrets_crd.yaml b/kubernetes-external-secrets/kubernetes-external-secrets_crd.yaml index aa16ca76d89..dc8e6bc6034 100644 --- a/kubernetes-external-secrets/kubernetes-external-secrets_crd.yaml +++ b/kubernetes-external-secrets/kubernetes-external-secrets_crd.yaml @@ -1,6 +1,6 @@ -# Source: https://github.com/external-secrets/kubernetes-external-secrets/blob/master/charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml +# From https://github.com/external-secrets/kubernetes-external-secrets/blob/8.1.2/charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: externalsecrets.kubernetes-client.io @@ -9,71 +9,78 @@ metadata: app.kubernetes.io/managed-by: helm spec: group: kubernetes-client.io - version: v1 scope: Namespaced - names: - shortNames: - - es - kind: ExternalSecret - plural: externalsecrets - singular: externalsecret - - additionalPrinterColumns: - - JSONPath: .status.lastSync - name: Last Sync - type: date - - JSONPath: .status.status - name: status - type: string - - JSONPath: .metadata.creationTimestamp - name: Age - type: date + preserveUnknownFields: false - validation: - openAPIV3Schema: - properties: - spec: + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + required: + - spec type: object properties: - template: - description: Template which will be deep merged without mutating - any existing fields. into generated secret, can be used to - set for example annotations or type on the generated secret + spec: type: object - backendType: - type: string - enum: - - secretsManager - - systemManager - - vault - - azureKeyVault - - gcpSecretsManager - - alicloudSecretsManager - - ibmcloudSecretsManager - vaultRole: - type: string - vaultMountPoint: - type: string - kvVersion: - description: Vault K/V version either 1 or 2, default = 2 - type: integer - minimum: 1 - maximum: 2 - keyVaultName: - type: string - key: - type: string - dataFrom: - type: array - items: - type: string - data: - type: array - items: - type: object - anyOf: - - properties: + properties: + controllerId: + description: The ID of controller instance that manages this ExternalSecret. + This is needed in case there is more than a KES controller instances within the cluster. + type: string + type: + type: string + description: >- + DEPRECATED: Use spec.template.type + template: + description: Template which will be deep merged without mutating + any existing fields. into generated secret, can be used to + set for example annotations or type on the generated secret + type: object + x-kubernetes-preserve-unknown-fields: true + backendType: + description: >- + Determines which backend to use for fetching secrets + type: string + enum: + - secretsManager + - systemManager + - vault + - azureKeyVault + - gcpSecretsManager + - alicloudSecretsManager + - ibmcloudSecretsManager + - akeyless + vaultRole: + description: >- + Used by: vault + type: string + vaultMountPoint: + description: >- + Used by: vault + type: string + kvVersion: + description: Vault K/V version either 1 or 2, default = 2 + type: integer + minimum: 1 + maximum: 2 + keyVaultName: + description: >- + Used by: azureKeyVault + type: string + dataFrom: + type: array + items: + type: string + data: + type: array + items: + type: object + properties: key: description: Secret key in backend type: string @@ -82,6 +89,7 @@ spec: type: string property: description: Property to extract if secret in backend is a JSON object + type: string isBinary: description: >- Whether the backend secret shall be treated as binary data @@ -89,53 +97,110 @@ spec: for any base64-encoded binary data in the backend - to ensure it is not encoded in base64 again. Default is false. type: boolean - required: - - key - - name - - properties: path: description: >- Path from SSM to scrape secrets This will fetch all secrets and use the key from the secret as variable name + type: string recursive: - description: Allow to recurse thru all child keys on a given path + description: Allow to recurse thru all child keys on a given path, default false type: boolean - required: - - path - roleArn: - type: string - oneOf: - - properties: - backendType: - enum: - - secretsManager - - systemManager - - properties: - backendType: - enum: - - vault - - properties: - backendType: - enum: - - azureKeyVault - required: - - keyVaultName - - properties: - backendType: - enum: - - gcpSecretsManager - - properties: - backendType: - enum: - - alicloudSecretsManager - - properties: - backendType: - enum: - - ibmcloudSecretsManager - anyOf: - - required: - - data - - required: - - dataFrom - subresources: - status: {} + secretType: + description: >- + Used by: ibmcloudSecretsManager + Type of secret - one of username_password, iam_credentials or arbitrary + type: string + version: + description: >- + Used by: gcpSecretsManager + type: string + x-kubernetes-int-or-string: true + versionStage: + description: >- + Used by: alicloudSecretsManager, secretsManager + type: string + versionId: + description: >- + Used by: secretsManager + type: string + oneOf: + - required: + - key + - name + - required: + - path + roleArn: + type: string + description: >- + Used by: alicloudSecretsManager, secretsManager, systemManager + region: + type: string + description: >- + Used by: secretsManager, systemManager + projectId: + type: string + description: >- + Used by: gcpSecretsManager + oneOf: + - properties: + backendType: + enum: + - secretsManager + - systemManager + - properties: + backendType: + enum: + - vault + - properties: + backendType: + enum: + - azureKeyVault + required: + - keyVaultName + - properties: + backendType: + enum: + - gcpSecretsManager + - properties: + backendType: + enum: + - alicloudSecretsManager + - properties: + backendType: + enum: + - ibmcloudSecretsManager + - properties: + backendType: + enum: + - akeyless + anyOf: + - required: + - data + - required: + - dataFrom + status: + type: object + properties: + lastSync: + type: string + status: + type: string + observedGeneration: + type: number + additionalPrinterColumns: + - jsonPath: .status.lastSync + name: Last Sync + type: date + - jsonPath: .status.status + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + + names: + shortNames: + - es + kind: ExternalSecret + plural: externalsecrets + singular: externalsecret diff --git a/kubernetes-external-secrets/kubernetes-external-secrets_rbac.yaml b/kubernetes-external-secrets/kubernetes-external-secrets_rbac.yaml index 5c80d170eed..22119ef0810 100644 --- a/kubernetes-external-secrets/kubernetes-external-secrets_rbac.yaml +++ b/kubernetes-external-secrets/kubernetes-external-secrets_rbac.yaml @@ -1,12 +1,4 @@ --- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kubernetes-external-secrets - namespace: kubernetes-external-secrets - annotations: - iam.gke.io/gcp-service-account: kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -30,14 +22,13 @@ rules: - apiGroups: ["kubernetes-client.io"] resources: ["externalsecrets/status"] verbs: ["get", "update"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-external-secrets + labels: + app: kubernetes-external-secrets roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -51,6 +42,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-external-secrets-auth + labels: + app: kubernetes-external-secrets roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole