From 73aeaef3f725ae2f3011ff24d9b7243716f639c9 Mon Sep 17 00:00:00 2001 From: Markus Maga Date: Mon, 10 May 2021 22:21:16 +0200 Subject: [PATCH] fix!: update crd to apiextensions.k8s.io/v1 (#681) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Drops support for `secretDescriptor` in CRD validation (its been deprecated forever, wasn't really validated before either but seemed to work regardless) - Updates to apiextensions.k8s.io/v1 for CRD - Updated validation schema to comply with structural requirements 😄 - If the schema is missing anything that was used those fields will be dropped as soon as the CRD is updated! (setting `preserveUnknownFields: true` is not allowed) This _shouldn't_ be a breaking change for users as long as the validation schema includes all the possible props. I've gone thru the backends specOptions and keyOptions and I believe I've caught them all.. (assuming no one uses `secretDescriptor`) Drops support for kubernetes versions <1.16 BREAKING CHANGE: Drops support for kubernetes versions <1.16. This _shouldn't_ be a breaking change if you have followed earlier deprecation's (like using `spec` instead of `secretDescriptor`. The updated CRD complies with the new structural validation and should validate all fields, any fields missing in the validation will be dropped from your ExternalSecret resource. --- charts/kubernetes-external-secrets/README.md | 2 +- ...ernetes-client.io_externalsecrets_crd.yaml | 282 +++++++++++------- e2e/tests/crd.test.js | 2 +- examples/alicloud-secretsmanager.yaml | 15 + examples/alicloudsecretsmanager-example.yaml | 9 - ...r-example.yaml => aws-secretsmanager.yaml} | 2 +- examples/aws-ssm-path.yaml | 15 + examples/{ssm-example.yaml => aws-ssm.yaml} | 2 +- ...vault-example.yaml => azure-keyvault.yaml} | 2 +- ...secret-gcp.yml => gcp-secrets-manager.yml} | 2 +- ...ple.yaml => ibmcloud-secrets-manager.yaml} | 4 +- ...ult-template.yml => template-advanced.yml} | 2 +- ...ernal-secret.yml => template-metadata.yml} | 2 +- examples/tls-example.yml | 2 +- examples/vault-kv1.yaml | 2 +- ...ce-external-secret-vault.yml => vault.yml} | 2 +- .../ibmcloud-secrets-manager-backend.js | 2 +- 17 files changed, 216 insertions(+), 133 deletions(-) create mode 100644 examples/alicloud-secretsmanager.yaml delete mode 100644 examples/alicloudsecretsmanager-example.yaml rename examples/{secretsmanager-example.yaml => aws-secretsmanager.yaml} (93%) create mode 100644 examples/aws-ssm-path.yaml rename examples/{ssm-example.yaml => aws-ssm.yaml} (97%) rename examples/{azurekeyvault-example.yaml => azure-keyvault.yaml} (89%) rename examples/{hello-service-external-secret-gcp.yml => gcp-secrets-manager.yml} (95%) rename examples/{ibmcloud-secrets-manager-example.yaml => ibmcloud-secrets-manager.yaml} (72%) rename examples/{hello-service-external-secret-vault-template.yml => template-advanced.yml} (95%) rename examples/{hello-service-external-secret.yml => template-metadata.yml} (91%) rename examples/{hello-service-external-secret-vault.yml => vault.yml} (95%) diff --git a/charts/kubernetes-external-secrets/README.md b/charts/kubernetes-external-secrets/README.md index da78be24..3cef4c46 100644 --- a/charts/kubernetes-external-secrets/README.md +++ b/charts/kubernetes-external-secrets/README.md @@ -13,7 +13,7 @@ See below for [Helm V2 considerations](#helm-v2-considerations) when installing ## Prerequisites -* Kubernetes 1.12+ +* Kubernetes 1.16+ ## Installing the Chart diff --git a/charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml b/charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml index 37909149..5a6dbef5 100644 --- a/charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml +++ b/charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml @@ -1,5 +1,5 @@ --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: externalsecrets.kubernetes-client.io @@ -8,77 +8,77 @@ metadata: app.kubernetes.io/managed-by: helm spec: group: kubernetes-client.io - version: v1 scope: Namespaced - names: - shortNames: - - es - kind: ExternalSecret - plural: externalsecrets - singular: externalsecret - - additionalPrinterColumns: - - JSONPath: .status.lastSync - name: Last Sync - type: date - - JSONPath: .status.status - name: status - type: string - - JSONPath: .metadata.creationTimestamp - name: Age - type: date + preserveUnknownFields: false - validation: - openAPIV3Schema: - required: - - spec - properties: - spec: + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + required: + - spec type: object properties: - template: - description: Template which will be deep merged without mutating - any existing fields. into generated secret, can be used to - set for example annotations or type on the generated secret + spec: type: object - controllerId: - description: The ID of controller instance that manages this ExternalSecret. - This is needed in case there is more than a KES controller instances within the cluster. - type: string - backendType: - type: string - enum: - - secretsManager - - systemManager - - vault - - azureKeyVault - - gcpSecretsManager - - alicloudSecretsManager - - ibmcloudSecretsManager - vaultRole: - type: string - vaultMountPoint: - type: string - kvVersion: - description: Vault K/V version either 1 or 2, default = 2 - type: integer - minimum: 1 - maximum: 2 - keyVaultName: - type: string - key: - type: string - dataFrom: - type: array - items: - type: string - data: - type: array - items: - type: object - anyOf: - - properties: + properties: + controllerId: + description: The ID of controller instance that manages this ExternalSecret. + This is needed in case there is more than a KES controller instances within the cluster. + type: string + type: + type: string + description: >- + DEPRECATED: Use spec.template.type + template: + description: Template which will be deep merged without mutating + any existing fields. into generated secret, can be used to + set for example annotations or type on the generated secret + type: object + x-kubernetes-preserve-unknown-fields: true + backendType: + description: >- + Determines which backend to use for fetching secrets + type: string + enum: + - secretsManager + - systemManager + - vault + - azureKeyVault + - gcpSecretsManager + - alicloudSecretsManager + - ibmcloudSecretsManager + vaultRole: + description: >- + Used by: vault + type: string + vaultMountPoint: + description: >- + Used by: vault + type: string + kvVersion: + description: Vault K/V version either 1 or 2, default = 2 + type: integer + minimum: 1 + maximum: 2 + keyVaultName: + description: >- + Used by: azureKeyVault + type: string + dataFrom: + type: array + items: + type: string + data: + type: array + items: + type: object + properties: key: description: Secret key in backend type: string @@ -87,6 +87,7 @@ spec: type: string property: description: Property to extract if secret in backend is a JSON object + type: string isBinary: description: >- Whether the backend secret shall be treated as binary data @@ -94,53 +95,114 @@ spec: for any base64-encoded binary data in the backend - to ensure it is not encoded in base64 again. Default is false. type: boolean - required: - - key - - name - - properties: path: description: >- Path from SSM to scrape secrets This will fetch all secrets and use the key from the secret as variable name + type: string recursive: - description: Allow to recurse thru all child keys on a given path + description: Allow to recurse thru all child keys on a given path, default false type: boolean - required: - - path - roleArn: - type: string - oneOf: - - properties: - backendType: - enum: - - secretsManager - - systemManager - - properties: - backendType: - enum: - - vault - - properties: - backendType: - enum: - - azureKeyVault - required: - - keyVaultName - - properties: - backendType: - enum: - - gcpSecretsManager - - properties: - backendType: - enum: - - alicloudSecretsManager - - properties: - backendType: - enum: - - ibmcloudSecretsManager - anyOf: - - required: - - data - - required: - - dataFrom - subresources: - status: {} + secretType: + description: >- + Used by: ibmcloudSecretsManager + Type of secret - one of username_password, iam_credentials or arbitrary + type: string + version: + description: >- + Used by: gcpSecretsManager + type: string + x-kubernetes-int-or-string: true + versionStage: + description: >- + Used by: alicloudSecretsManager, secretsManager + type: string + versionId: + description: >- + Used by: secretsManager + type: string + oneOf: + - properties: + key: + name: + property: + isBinary: + secretType: + required: + - key + - name + - properties: + path: + recursive: + required: + - path + roleArn: + type: string + description: >- + Used by: alicloudSecretsManager, secretsManager, systemManager + region: + type: string + description: >- + Used by: secretsManager, systemManager + projectId: + type: string + description: >- + Used by: gcpSecretsManager + oneOf: + - properties: + backendType: + enum: + - secretsManager + - systemManager + - properties: + backendType: + enum: + - vault + - properties: + backendType: + enum: + - azureKeyVault + required: + - keyVaultName + - properties: + backendType: + enum: + - gcpSecretsManager + - properties: + backendType: + enum: + - alicloudSecretsManager + - properties: + backendType: + enum: + - ibmcloudSecretsManager + anyOf: + - required: + - data + - required: + - dataFrom + status: + type: object + properties: + lastSync: + type: string + status: + type: string + additionalPrinterColumns: + - jsonPath: .status.lastSync + name: Last Sync + type: date + - jsonPath: .status.status + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + + names: + shortNames: + - es + kind: ExternalSecret + plural: externalsecrets + singular: externalsecret + diff --git a/e2e/tests/crd.test.js b/e2e/tests/crd.test.js index 3e4ea310..d63357b3 100644 --- a/e2e/tests/crd.test.js +++ b/e2e/tests/crd.test.js @@ -16,7 +16,7 @@ describe('CRD', () => { it('ensure CRD is managed correctly', async () => { const res = await kubeClient .apis['apiextensions.k8s.io'] - .v1beta1 + .v1 .customresourcedefinitions(customResourceManifest.metadata.name) .get() diff --git a/examples/alicloud-secretsmanager.yaml b/examples/alicloud-secretsmanager.yaml new file mode 100644 index 00000000..ab2ebd18 --- /dev/null +++ b/examples/alicloud-secretsmanager.yaml @@ -0,0 +1,15 @@ +apiVersion: kubernetes-client.io/v1 +kind: ExternalSecret +metadata: + name: alicloud-secretsmanager +spec: + backendType: alicloudSecretsManager + # optional: specify role to assume using provided access key ID and access key secret when retrieving the data + roleArn: acs:ram::{UID}:role/demo + data: + - key: hello-credentials1 + name: password + - key: hello-credentials2 + name: username + # Version Stage in Alibaba Cloud KMS Secrets Manager. Optional, default value is ACSCurrent + versionStage: ACSCurrent diff --git a/examples/alicloudsecretsmanager-example.yaml b/examples/alicloudsecretsmanager-example.yaml deleted file mode 100644 index c61efaa0..00000000 --- a/examples/alicloudsecretsmanager-example.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kubernetes-client.io/v1 -kind: ExternalSecret -metadata: - name: secretsmanager-example -spec: - backendType: alicloudSecretsManager - data: - - key: akey - name: password \ No newline at end of file diff --git a/examples/secretsmanager-example.yaml b/examples/aws-secretsmanager.yaml similarity index 93% rename from examples/secretsmanager-example.yaml rename to examples/aws-secretsmanager.yaml index b79ef39f..80b248f7 100644 --- a/examples/secretsmanager-example.yaml +++ b/examples/aws-secretsmanager.yaml @@ -1,7 +1,7 @@ apiVersion: kubernetes-client.io/v1 kind: ExternalSecret metadata: - name: secretsmanager-example + name: aws-secretsmanager spec: backendType: secretsManager # optional: specify role to assume when retrieving the data diff --git a/examples/aws-ssm-path.yaml b/examples/aws-ssm-path.yaml new file mode 100644 index 00000000..8d044eed --- /dev/null +++ b/examples/aws-ssm-path.yaml @@ -0,0 +1,15 @@ +apiVersion: kubernetes-client.io/v1 +kind: ExternalSecret +metadata: + name: aws-ssm-path +spec: + backendType: systemManager + # optional: specify role to assume when retrieving the data + roleArn: arn:aws:iam::123456789012:role/test-role + # optional: specify region + region: us-east-1 + data: + - key: /foo/name + name: fooName + - path: /extra-people/ + recursive: false diff --git a/examples/ssm-example.yaml b/examples/aws-ssm.yaml similarity index 97% rename from examples/ssm-example.yaml rename to examples/aws-ssm.yaml index 8cf9f685..129e5977 100644 --- a/examples/ssm-example.yaml +++ b/examples/aws-ssm.yaml @@ -1,7 +1,7 @@ apiVersion: kubernetes-client.io/v1 kind: ExternalSecret metadata: - name: ssm-example + name: aws-ssm spec: backendType: systemManager # optional: specify role to assume when retrieving the data diff --git a/examples/azurekeyvault-example.yaml b/examples/azure-keyvault.yaml similarity index 89% rename from examples/azurekeyvault-example.yaml rename to examples/azure-keyvault.yaml index b2af57a7..3c255d7a 100644 --- a/examples/azurekeyvault-example.yaml +++ b/examples/azure-keyvault.yaml @@ -1,7 +1,7 @@ apiVersion: kubernetes-client.io/v1 kind: ExternalSecret metadata: - name: keyvault-example + name: azure-keyvault spec: backendType: azureKeyVault keyVaultName: hello-world diff --git a/examples/hello-service-external-secret-gcp.yml b/examples/gcp-secrets-manager.yml similarity index 95% rename from examples/hello-service-external-secret-gcp.yml rename to examples/gcp-secrets-manager.yml index ec50ed17..73465efc 100644 --- a/examples/hello-service-external-secret-gcp.yml +++ b/examples/gcp-secrets-manager.yml @@ -1,7 +1,7 @@ apiVersion: kubernetes-client.io/v1 kind: ExternalSecret metadata: - name: gcp-secrets-manager-example + name: gcp-secrets-manager spec: backendType: gcpSecretsManager # Project to use for GCP Secrets Manager (use the service account project by default) diff --git a/examples/ibmcloud-secrets-manager-example.yaml b/examples/ibmcloud-secrets-manager.yaml similarity index 72% rename from examples/ibmcloud-secrets-manager-example.yaml rename to examples/ibmcloud-secrets-manager.yaml index f8fc8b35..756652b8 100644 --- a/examples/ibmcloud-secrets-manager-example.yaml +++ b/examples/ibmcloud-secrets-manager.yaml @@ -1,11 +1,11 @@ apiVersion: kubernetes-client.io/v1 kind: ExternalSecret metadata: - name: ibmcloud-secrets-manager-example + name: ibmcloud-secrets-manager spec: backendType: ibmcloudSecretsManager data: # The guid id of the secret - key: guid name: username_password - secretType: username_password \ No newline at end of file + secretType: username_password diff --git a/examples/hello-service-external-secret-vault-template.yml b/examples/template-advanced.yml similarity index 95% rename from examples/hello-service-external-secret-vault-template.yml rename to examples/template-advanced.yml index c5ac41aa..c537b630 100644 --- a/examples/hello-service-external-secret-vault-template.yml +++ b/examples/template-advanced.yml @@ -1,7 +1,7 @@ apiVersion: 'kubernetes-client.io/v1' kind: ExternalSecret metadata: - name: hello-service + name: template-advanced spec: backendType: vault vaultMountPoint: my-kubernetes-vault-mount-point diff --git a/examples/hello-service-external-secret.yml b/examples/template-metadata.yml similarity index 91% rename from examples/hello-service-external-secret.yml rename to examples/template-metadata.yml index 2c10dba7..7d892ce1 100644 --- a/examples/hello-service-external-secret.yml +++ b/examples/template-metadata.yml @@ -1,7 +1,7 @@ apiVersion: kubernetes-client.io/v1 kind: ExternalSecret metadata: - name: hello-service + name: template-metadata spec: template: metadata: diff --git a/examples/tls-example.yml b/examples/tls-example.yml index cd3ee51f..0c36e415 100644 --- a/examples/tls-example.yml +++ b/examples/tls-example.yml @@ -1,7 +1,7 @@ apiVersion: kubernetes-client.io/v1 kind: ExternalSecret metadata: - name: tls-secret + name: tls-example spec: backendType: secretsManager template: diff --git a/examples/vault-kv1.yaml b/examples/vault-kv1.yaml index 8ab7e23e..3104a5cf 100644 --- a/examples/vault-kv1.yaml +++ b/examples/vault-kv1.yaml @@ -1,7 +1,7 @@ apiVersion: 'kubernetes-client.io/v1' kind: ExternalSecret metadata: - name: database-credentials-from-kv1 + name: vault-kv1 spec: backendType: vault vaultMountPoint: my-kubernetes-vault-mount-point diff --git a/examples/hello-service-external-secret-vault.yml b/examples/vault.yml similarity index 95% rename from examples/hello-service-external-secret-vault.yml rename to examples/vault.yml index 6e517fe5..b4a34fad 100644 --- a/examples/hello-service-external-secret-vault.yml +++ b/examples/vault.yml @@ -1,7 +1,7 @@ apiVersion: 'kubernetes-client.io/v1' kind: ExternalSecret metadata: - name: hello-service + name: vault spec: backendType: vault vaultMountPoint: my-kubernetes-vault-mount-point diff --git a/lib/backends/ibmcloud-secrets-manager-backend.js b/lib/backends/ibmcloud-secrets-manager-backend.js index ed76c2d3..88d38fd8 100644 --- a/lib/backends/ibmcloud-secrets-manager-backend.js +++ b/lib/backends/ibmcloud-secrets-manager-backend.js @@ -37,7 +37,7 @@ class IbmCloudSecretsManagerBackend extends KVBackend { * Get secret_data property value from IBM Cloud Secrets Manager * @param {string} key - Key used to store secret property value. * @param {object} specOptions - Options for this external secret, eg role - * @param {string} specOptions.secretType - Type of secret - one of username_password, iam_credentials or arbitrary + * @param {string} keyOptions.secretType - Type of secret - one of username_password, iam_credentials or arbitrary * @returns {Promise} Promise object representing secret property value. */ async _get ({ key, keyOptions: { secretType } }) {