Skip to content
This repository has been archived by the owner on Jul 26, 2022. It is now read-only.

Commit

Permalink
fix!: update crd to apiextensions.k8s.io/v1 (#681)
Browse files Browse the repository at this point in the history 
- Drops support for `secretDescriptor` in CRD validation (its been deprecated forever, wasn't really validated before either but seemed to work regardless)
- Updates to apiextensions.k8s.io/v1 for CRD
- Updated validation schema to comply with structural requirements 😄 
- If the schema is missing anything that was used those fields will be dropped as soon as the CRD is updated! (setting `preserveUnknownFields: true` is not allowed)

This _shouldn't_ be a breaking change for users as long as the validation schema includes all the possible props. I've gone thru the backends specOptions and keyOptions and I believe I've caught them all.. (assuming no one uses `secretDescriptor`)

Drops support for kubernetes versions <1.16

BREAKING CHANGE: Drops support for kubernetes versions <1.16. This _shouldn't_ be a breaking change if you have followed earlier deprecation's (like using `spec` instead of `secretDescriptor`. The updated CRD complies with the new structural validation and should validate all fields, any fields missing in the validation will be dropped from your ExternalSecret resource.
  • Loading branch information
@Flydiverny
Flydiverny committed May 10, 2021
1 parent 9df8b86 commit 73aeaef
Show file tree
Hide file tree
Showing 17 changed files with 216 additions and 133 deletions.
2 changes: 1 addition & 1 deletion charts/kubernetes-external-secrets/README.md
View file
Expand Up @@ -13,7 +13,7 @@ See below for [Helm V2 considerations](#helm-v2-considerations) when installing

## Prerequisites

* Kubernetes 1.12+
* Kubernetes 1.16+

## Installing the Chart

Expand Down
282 changes: 172 additions & 110 deletions charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml
View file
@@ -1,5 +1,5 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: externalsecrets.kubernetes-client.io
Expand All @@ -8,77 +8,77 @@ metadata:
app.kubernetes.io/managed-by: helm
spec:
group: kubernetes-client.io
version: v1
scope: Namespaced

names:
shortNames:
- es
kind: ExternalSecret
plural: externalsecrets
singular: externalsecret

additionalPrinterColumns:
- JSONPath: .status.lastSync
name: Last Sync
type: date
- JSONPath: .status.status
name: status
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
preserveUnknownFields: false

validation:
openAPIV3Schema:
required:
- spec
properties:
spec:
versions:
- name: v1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
required:
- spec
type: object
properties:
template:
description: Template which will be deep merged without mutating
any existing fields. into generated secret, can be used to
set for example annotations or type on the generated secret
spec:
type: object
controllerId:
description: The ID of controller instance that manages this ExternalSecret.
This is needed in case there is more than a KES controller instances within the cluster.
type: string
backendType:
type: string
enum:
- secretsManager
- systemManager
- vault
- azureKeyVault
- gcpSecretsManager
- alicloudSecretsManager
- ibmcloudSecretsManager
vaultRole:
type: string
vaultMountPoint:
type: string
kvVersion:
description: Vault K/V version either 1 or 2, default = 2
type: integer
minimum: 1
maximum: 2
keyVaultName:
type: string
key:
type: string
dataFrom:
type: array
items:
type: string
data:
type: array
items:
type: object
anyOf:
- properties:
properties:
controllerId:
description: The ID of controller instance that manages this ExternalSecret.
This is needed in case there is more than a KES controller instances within the cluster.
type: string
type:
type: string
description: >-
DEPRECATED: Use spec.template.type
template:
description: Template which will be deep merged without mutating
any existing fields. into generated secret, can be used to
set for example annotations or type on the generated secret
type: object
x-kubernetes-preserve-unknown-fields: true
backendType:
description: >-
Determines which backend to use for fetching secrets
type: string
enum:
- secretsManager
- systemManager
- vault
- azureKeyVault
- gcpSecretsManager
- alicloudSecretsManager
- ibmcloudSecretsManager
vaultRole:
description: >-
Used by: vault
type: string
vaultMountPoint:
description: >-
Used by: vault
type: string
kvVersion:
description: Vault K/V version either 1 or 2, default = 2
type: integer
minimum: 1
maximum: 2
keyVaultName:
description: >-
Used by: azureKeyVault
type: string
dataFrom:
type: array
items:
type: string
data:
type: array
items:
type: object
properties:
key:
description: Secret key in backend
type: string
Expand All @@ -87,60 +87,122 @@ spec:
type: string
property:
description: Property to extract if secret in backend is a JSON object
type: string
isBinary:
description: >-
Whether the backend secret shall be treated as binary data
represented by a base64-encoded string. You must set this to true
for any base64-encoded binary data in the backend - to ensure it
is not encoded in base64 again. Default is false.
type: boolean
required:
- key
- name
- properties:
path:
description: >-
Path from SSM to scrape secrets
This will fetch all secrets and use the key from the secret as variable name
type: string
recursive:
description: Allow to recurse thru all child keys on a given path
description: Allow to recurse thru all child keys on a given path, default false
type: boolean
required:
- path
roleArn:
type: string
oneOf:
- properties:
backendType:
enum:
- secretsManager
- systemManager
- properties:
backendType:
enum:
- vault
- properties:
backendType:
enum:
- azureKeyVault
required:
- keyVaultName
- properties:
backendType:
enum:
- gcpSecretsManager
- properties:
backendType:
enum:
- alicloudSecretsManager
- properties:
backendType:
enum:
- ibmcloudSecretsManager
anyOf:
- required:
- data
- required:
- dataFrom
subresources:
status: {}
secretType:
description: >-
Used by: ibmcloudSecretsManager
Type of secret - one of username_password, iam_credentials or arbitrary
type: string
version:
description: >-
Used by: gcpSecretsManager
type: string
x-kubernetes-int-or-string: true
versionStage:
description: >-
Used by: alicloudSecretsManager, secretsManager
type: string
versionId:
description: >-
Used by: secretsManager
type: string
oneOf:
- properties:
key:
name:
property:
isBinary:
secretType:
required:
- key
- name
- properties:
path:
recursive:
required:
- path
roleArn:
type: string
description: >-
Used by: alicloudSecretsManager, secretsManager, systemManager
region:
type: string
description: >-
Used by: secretsManager, systemManager
projectId:
type: string
description: >-
Used by: gcpSecretsManager
oneOf:
- properties:
backendType:
enum:
- secretsManager
- systemManager
- properties:
backendType:
enum:
- vault
- properties:
backendType:
enum:
- azureKeyVault
required:
- keyVaultName
- properties:
backendType:
enum:
- gcpSecretsManager
- properties:
backendType:
enum:
- alicloudSecretsManager
- properties:
backendType:
enum:
- ibmcloudSecretsManager
anyOf:
- required:
- data
- required:
- dataFrom
status:
type: object
properties:
lastSync:
type: string
status:
type: string
additionalPrinterColumns:
- jsonPath: .status.lastSync
name: Last Sync
type: date
- jsonPath: .status.status
name: status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date

names:
shortNames:
- es
kind: ExternalSecret
plural: externalsecrets
singular: externalsecret

2 changes: 1 addition & 1 deletion e2e/tests/crd.test.js
View file
Expand Up @@ -16,7 +16,7 @@ describe('CRD', () => {
it('ensure CRD is managed correctly', async () => {
const res = await kubeClient
.apis['apiextensions.k8s.io']
.v1beta1
.v1
.customresourcedefinitions(customResourceManifest.metadata.name)
.get()

Expand Down
15 changes: 15 additions & 0 deletions examples/alicloud-secretsmanager.yaml
View file
@@ -0,0 +1,15 @@
apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
name: alicloud-secretsmanager
spec:
backendType: alicloudSecretsManager
# optional: specify role to assume using provided access key ID and access key secret when retrieving the data
roleArn: acs:ram::{UID}:role/demo
data:
- key: hello-credentials1
name: password
- key: hello-credentials2
name: username
# Version Stage in Alibaba Cloud KMS Secrets Manager. Optional, default value is ACSCurrent
versionStage: ACSCurrent
9 changes: 0 additions & 9 deletions examples/alicloudsecretsmanager-example.yaml
View file

This file was deleted.

2 changes: 1 addition & 1 deletion examples/secretsmanager-example.yaml → examples/aws-secretsmanager.yaml
View file
@@ -1,7 +1,7 @@
apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
name: secretsmanager-example
name: aws-secretsmanager
spec:
backendType: secretsManager
# optional: specify role to assume when retrieving the data
Expand Down
15 changes: 15 additions & 0 deletions examples/aws-ssm-path.yaml
View file
@@ -0,0 +1,15 @@
apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
name: aws-ssm-path
spec:
backendType: systemManager
# optional: specify role to assume when retrieving the data
roleArn: arn:aws:iam::123456789012:role/test-role
# optional: specify region
region: us-east-1
data:
- key: /foo/name
name: fooName
- path: /extra-people/
recursive: false
2 changes: 1 addition & 1 deletion examples/ssm-example.yaml → examples/aws-ssm.yaml
View file
@@ -1,7 +1,7 @@
apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
name: ssm-example
name: aws-ssm
spec:
backendType: systemManager
# optional: specify role to assume when retrieving the data
Expand Down

0 comments on commit 73aeaef

Please sign in to comment.