-
-
Notifications
You must be signed in to change notification settings - Fork 766
/
pushsecret_types.go
219 lines (180 loc) · 7.22 KB
/
pushsecret_types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
corev1 "k8s.io/api/core/v1"
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
)
const (
ReasonSynced = "Synced"
ReasonErrored = "Errored"
)
type PushSecretStoreRef struct {
// Optionally, sync to the SecretStore of the given name
// +optional
Name string `json:"name,omitempty"`
// Optionally, sync to secret stores with label selector
// +optional
LabelSelector *metav1.LabelSelector `json:"labelSelector,omitempty"`
// Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
// Defaults to `SecretStore`
// +kubebuilder:default="SecretStore"
// +optional
Kind string `json:"kind,omitempty"`
}
// +kubebuilder:validation:Enum=Replace;IfNotExists
type PushSecretUpdatePolicy string
const (
PushSecretUpdatePolicyReplace PushSecretUpdatePolicy = "Replace"
PushSecretUpdatePolicyIfNotExists PushSecretUpdatePolicy = "IfNotExists"
)
// +kubebuilder:validation:Enum=Delete;None
type PushSecretDeletionPolicy string
const (
PushSecretDeletionPolicyDelete PushSecretDeletionPolicy = "Delete"
PushSecretDeletionPolicyNone PushSecretDeletionPolicy = "None"
)
// +kubebuilder:validation:Enum=None;ReverseUnicode
type PushSecretConversionStrategy string
const (
PushSecretConversionNone PushSecretConversionStrategy = "None"
PushSecretConversionReverseUnicode PushSecretConversionStrategy = "ReverseUnicode"
)
// PushSecretSpec configures the behavior of the PushSecret.
type PushSecretSpec struct {
// The Interval to which External Secrets will try to push a secret definition
RefreshInterval *metav1.Duration `json:"refreshInterval,omitempty"`
SecretStoreRefs []PushSecretStoreRef `json:"secretStoreRefs"`
// UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".
// +kubebuilder:default="Replace"
// +optional
UpdatePolicy PushSecretUpdatePolicy `json:"updatePolicy,omitempty"`
// Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".
// +kubebuilder:default="None"
// +optional
DeletionPolicy PushSecretDeletionPolicy `json:"deletionPolicy,omitempty"`
// The Secret Selector (k8s source) for the Push Secret
Selector PushSecretSelector `json:"selector"`
// Secret Data that should be pushed to providers
Data []PushSecretData `json:"data,omitempty"`
// Template defines a blueprint for the created Secret resource.
// +optional
Template *esv1beta1.ExternalSecretTemplate `json:"template,omitempty"`
}
type PushSecretSecret struct {
// Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
Name string `json:"name"`
}
type PushSecretSelector struct {
// Select a Secret to Push.
Secret PushSecretSecret `json:"secret"`
}
type PushSecretRemoteRef struct {
// Name of the resulting provider secret.
RemoteKey string `json:"remoteKey"`
// Name of the property in the resulting secret
// +optional
Property string `json:"property,omitempty"`
}
func (r PushSecretRemoteRef) GetRemoteKey() string {
return r.RemoteKey
}
func (r PushSecretRemoteRef) GetProperty() string {
return r.Property
}
type PushSecretMatch struct {
// Secret Key to be pushed
// +optional
SecretKey string `json:"secretKey,omitempty"`
// Remote Refs to push to providers.
RemoteRef PushSecretRemoteRef `json:"remoteRef"`
}
type PushSecretData struct {
// Match a given Secret Key to be pushed to the provider.
Match PushSecretMatch `json:"match"`
// Metadata is metadata attached to the secret.
// The structure of metadata is provider specific, please look it up in the provider documentation.
// +optional
Metadata *apiextensionsv1.JSON `json:"metadata,omitempty"`
// +optional
// Used to define a conversion Strategy for the secret keys
// +kubebuilder:default="None"
ConversionStrategy PushSecretConversionStrategy `json:"conversionStrategy,omitempty"`
}
func (d PushSecretData) GetMetadata() *apiextensionsv1.JSON {
return d.Metadata
}
func (d PushSecretData) GetSecretKey() string {
return d.Match.SecretKey
}
func (d PushSecretData) GetRemoteKey() string {
return d.Match.RemoteRef.RemoteKey
}
func (d PushSecretData) GetProperty() string {
return d.Match.RemoteRef.Property
}
// PushSecretConditionType indicates the condition of the PushSecret.
type PushSecretConditionType string
const (
PushSecretReady PushSecretConditionType = "Ready"
)
// PushSecretStatusCondition indicates the status of the PushSecret.
type PushSecretStatusCondition struct {
Type PushSecretConditionType `json:"type"`
Status corev1.ConditionStatus `json:"status"`
// +optional
Reason string `json:"reason,omitempty"`
// +optional
Message string `json:"message,omitempty"`
// +optional
LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
}
type SyncedPushSecretsMap map[string]map[string]PushSecretData
// PushSecretStatus indicates the history of the status of PushSecret.
type PushSecretStatus struct {
// +nullable
// refreshTime is the time and date the external secret was fetched and
// the target secret updated
RefreshTime metav1.Time `json:"refreshTime,omitempty"`
// SyncedResourceVersion keeps track of the last synced version.
SyncedResourceVersion string `json:"syncedResourceVersion,omitempty"`
// Synced PushSecrets, including secrets that already exist in provider.
// Matches secret stores to PushSecretData that was stored to that secret store.
// +optional
SyncedPushSecrets SyncedPushSecretsMap `json:"syncedPushSecrets,omitempty"`
// +optional
Conditions []PushSecretStatusCondition `json:"conditions,omitempty"`
}
// +kubebuilder:object:root=true
// +kubebuilder:storageversion
// PushSecrets is the Schema for the PushSecrets API.
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
// +kubebuilder:subresource:status
// +kubebuilder:resource:scope=Namespaced,categories={pushsecrets}
type PushSecret struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec PushSecretSpec `json:"spec,omitempty"`
Status PushSecretStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
// PushSecretList contains a list of PushSecret resources.
type PushSecretList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []PushSecret `json:"items"`
}