Skip to content
This repository was archived by the owner on Jul 26, 2022. It is now read-only.

Commit 73aeaef

Browse files
FlydivernyFlydiverny
authored
fix!: update crd to apiextensions.k8s.io/v1 (#681)
- Drops support for `secretDescriptor` in CRD validation (its been deprecated forever, wasn't really validated before either but seemed to work regardless) - Updates to apiextensions.k8s.io/v1 for CRD - Updated validation schema to comply with structural requirements 😄 - If the schema is missing anything that was used those fields will be dropped as soon as the CRD is updated! (setting `preserveUnknownFields: true` is not allowed) This _shouldn't_ be a breaking change for users as long as the validation schema includes all the possible props. I've gone thru the backends specOptions and keyOptions and I believe I've caught them all.. (assuming no one uses `secretDescriptor`) Drops support for kubernetes versions <1.16 BREAKING CHANGE: Drops support for kubernetes versions <1.16. This _shouldn't_ be a breaking change if you have followed earlier deprecation's (like using `spec` instead of `secretDescriptor`. The updated CRD complies with the new structural validation and should validate all fields, any fields missing in the validation will be dropped from your ExternalSecret resource.
1 parent 9df8b86 commit 73aeaef

17 files changed

+216
-133
lines changed

charts/kubernetes-external-secrets/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ See below for [Helm V2 considerations](#helm-v2-considerations) when installing
1313

1414
## Prerequisites
1515

16-
* Kubernetes 1.12+
16+
* Kubernetes 1.16+
1717

1818
## Installing the Chart
1919

charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml

Lines changed: 172 additions & 110 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
apiVersion: apiextensions.k8s.io/v1beta1
2+
apiVersion: apiextensions.k8s.io/v1
33
kind: CustomResourceDefinition
44
metadata:
55
name: externalsecrets.kubernetes-client.io
@@ -8,77 +8,77 @@ metadata:
88
app.kubernetes.io/managed-by: helm
99
spec:
1010
group: kubernetes-client.io
11-
version: v1
1211
scope: Namespaced
1312

14-
names:
15-
shortNames:
16-
- es
17-
kind: ExternalSecret
18-
plural: externalsecrets
19-
singular: externalsecret
20-
21-
additionalPrinterColumns:
22-
- JSONPath: .status.lastSync
23-
name: Last Sync
24-
type: date
25-
- JSONPath: .status.status
26-
name: status
27-
type: string
28-
- JSONPath: .metadata.creationTimestamp
29-
name: Age
30-
type: date
13+
preserveUnknownFields: false
3114

32-
validation:
33-
openAPIV3Schema:
34-
required:
35-
- spec
36-
properties:
37-
spec:
15+
versions:
16+
- name: v1
17+
served: true
18+
storage: true
19+
subresources:
20+
status: {}
21+
schema:
22+
openAPIV3Schema:
23+
required:
24+
- spec
3825
type: object
3926
properties:
40-
template:
41-
description: Template which will be deep merged without mutating
42-
any existing fields. into generated secret, can be used to
43-
set for example annotations or type on the generated secret
27+
spec:
4428
type: object
45-
controllerId:
46-
description: The ID of controller instance that manages this ExternalSecret.
47-
This is needed in case there is more than a KES controller instances within the cluster.
48-
type: string
49-
backendType:
50-
type: string
51-
enum:
52-
- secretsManager
53-
- systemManager
54-
- vault
55-
- azureKeyVault
56-
- gcpSecretsManager
57-
- alicloudSecretsManager
58-
- ibmcloudSecretsManager
59-
vaultRole:
60-
type: string
61-
vaultMountPoint:
62-
type: string
63-
kvVersion:
64-
description: Vault K/V version either 1 or 2, default = 2
65-
type: integer
66-
minimum: 1
67-
maximum: 2
68-
keyVaultName:
69-
type: string
70-
key:
71-
type: string
72-
dataFrom:
73-
type: array
74-
items:
75-
type: string
76-
data:
77-
type: array
78-
items:
79-
type: object
80-
anyOf:
81-
- properties:
29+
properties:
30+
controllerId:
31+
description: The ID of controller instance that manages this ExternalSecret.
32+
This is needed in case there is more than a KES controller instances within the cluster.
33+
type: string
34+
type:
35+
type: string
36+
description: >-
37+
DEPRECATED: Use spec.template.type
38+
template:
39+
description: Template which will be deep merged without mutating
40+
any existing fields. into generated secret, can be used to
41+
set for example annotations or type on the generated secret
42+
type: object
43+
x-kubernetes-preserve-unknown-fields: true
44+
backendType:
45+
description: >-
46+
Determines which backend to use for fetching secrets
47+
type: string
48+
enum:
49+
- secretsManager
50+
- systemManager
51+
- vault
52+
- azureKeyVault
53+
- gcpSecretsManager
54+
- alicloudSecretsManager
55+
- ibmcloudSecretsManager
56+
vaultRole:
57+
description: >-
58+
Used by: vault
59+
type: string
60+
vaultMountPoint:
61+
description: >-
62+
Used by: vault
63+
type: string
64+
kvVersion:
65+
description: Vault K/V version either 1 or 2, default = 2
66+
type: integer
67+
minimum: 1
68+
maximum: 2
69+
keyVaultName:
70+
description: >-
71+
Used by: azureKeyVault
72+
type: string
73+
dataFrom:
74+
type: array
75+
items:
76+
type: string
77+
data:
78+
type: array
79+
items:
80+
type: object
81+
properties:
8282
key:
8383
description: Secret key in backend
8484
type: string
@@ -87,60 +87,122 @@ spec:
8787
type: string
8888
property:
8989
description: Property to extract if secret in backend is a JSON object
90+
type: string
9091
isBinary:
9192
description: >-
9293
Whether the backend secret shall be treated as binary data
9394
represented by a base64-encoded string. You must set this to true
9495
for any base64-encoded binary data in the backend - to ensure it
9596
is not encoded in base64 again. Default is false.
9697
type: boolean
97-
required:
98-
- key
99-
- name
100-
- properties:
10198
path:
10299
description: >-
103100
Path from SSM to scrape secrets
104101
This will fetch all secrets and use the key from the secret as variable name
102+
type: string
105103
recursive:
106-
description: Allow to recurse thru all child keys on a given path
104+
description: Allow to recurse thru all child keys on a given path, default false
107105
type: boolean
108-
required:
109-
- path
110-
roleArn:
111-
type: string
112-
oneOf:
113-
- properties:
114-
backendType:
115-
enum:
116-
- secretsManager
117-
- systemManager
118-
- properties:
119-
backendType:
120-
enum:
121-
- vault
122-
- properties:
123-
backendType:
124-
enum:
125-
- azureKeyVault
126-
required:
127-
- keyVaultName
128-
- properties:
129-
backendType:
130-
enum:
131-
- gcpSecretsManager
132-
- properties:
133-
backendType:
134-
enum:
135-
- alicloudSecretsManager
136-
- properties:
137-
backendType:
138-
enum:
139-
- ibmcloudSecretsManager
140-
anyOf:
141-
- required:
142-
- data
143-
- required:
144-
- dataFrom
145-
subresources:
146-
status: {}
106+
secretType:
107+
description: >-
108+
Used by: ibmcloudSecretsManager
109+
Type of secret - one of username_password, iam_credentials or arbitrary
110+
type: string
111+
version:
112+
description: >-
113+
Used by: gcpSecretsManager
114+
type: string
115+
x-kubernetes-int-or-string: true
116+
versionStage:
117+
description: >-
118+
Used by: alicloudSecretsManager, secretsManager
119+
type: string
120+
versionId:
121+
description: >-
122+
Used by: secretsManager
123+
type: string
124+
oneOf:
125+
- properties:
126+
key:
127+
name:
128+
property:
129+
isBinary:
130+
secretType:
131+
required:
132+
- key
133+
- name
134+
- properties:
135+
path:
136+
recursive:
137+
required:
138+
- path
139+
roleArn:
140+
type: string
141+
description: >-
142+
Used by: alicloudSecretsManager, secretsManager, systemManager
143+
region:
144+
type: string
145+
description: >-
146+
Used by: secretsManager, systemManager
147+
projectId:
148+
type: string
149+
description: >-
150+
Used by: gcpSecretsManager
151+
oneOf:
152+
- properties:
153+
backendType:
154+
enum:
155+
- secretsManager
156+
- systemManager
157+
- properties:
158+
backendType:
159+
enum:
160+
- vault
161+
- properties:
162+
backendType:
163+
enum:
164+
- azureKeyVault
165+
required:
166+
- keyVaultName
167+
- properties:
168+
backendType:
169+
enum:
170+
- gcpSecretsManager
171+
- properties:
172+
backendType:
173+
enum:
174+
- alicloudSecretsManager
175+
- properties:
176+
backendType:
177+
enum:
178+
- ibmcloudSecretsManager
179+
anyOf:
180+
- required:
181+
- data
182+
- required:
183+
- dataFrom
184+
status:
185+
type: object
186+
properties:
187+
lastSync:
188+
type: string
189+
status:
190+
type: string
191+
additionalPrinterColumns:
192+
- jsonPath: .status.lastSync
193+
name: Last Sync
194+
type: date
195+
- jsonPath: .status.status
196+
name: status
197+
type: string
198+
- jsonPath: .metadata.creationTimestamp
199+
name: Age
200+
type: date
201+
202+
names:
203+
shortNames:
204+
- es
205+
kind: ExternalSecret
206+
plural: externalsecrets
207+
singular: externalsecret
208+

e2e/tests/crd.test.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ describe('CRD', () => {
1616
it('ensure CRD is managed correctly', async () => {
1717
const res = await kubeClient
1818
.apis['apiextensions.k8s.io']
19-
.v1beta1
19+
.v1
2020
.customresourcedefinitions(customResourceManifest.metadata.name)
2121
.get()
2222

examples/alicloud-secretsmanager.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
apiVersion: kubernetes-client.io/v1
2+
kind: ExternalSecret
3+
metadata:
4+
name: alicloud-secretsmanager
5+
spec:
6+
backendType: alicloudSecretsManager
7+
# optional: specify role to assume using provided access key ID and access key secret when retrieving the data
8+
roleArn: acs:ram::{UID}:role/demo
9+
data:
10+
- key: hello-credentials1
11+
name: password
12+
- key: hello-credentials2
13+
name: username
14+
# Version Stage in Alibaba Cloud KMS Secrets Manager. Optional, default value is ACSCurrent
15+
versionStage: ACSCurrent

examples/alicloudsecretsmanager-example.yaml

Lines changed: 0 additions & 9 deletions
This file was deleted.

examples/secretsmanager-example.yaml renamed to examples/aws-secretsmanager.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
apiVersion: kubernetes-client.io/v1
22
kind: ExternalSecret
33
metadata:
4-
name: secretsmanager-example
4+
name: aws-secretsmanager
55
spec:
66
backendType: secretsManager
77
# optional: specify role to assume when retrieving the data

examples/aws-ssm-path.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
apiVersion: kubernetes-client.io/v1
2+
kind: ExternalSecret
3+
metadata:
4+
name: aws-ssm-path
5+
spec:
6+
backendType: systemManager
7+
# optional: specify role to assume when retrieving the data
8+
roleArn: arn:aws:iam::123456789012:role/test-role
9+
# optional: specify region
10+
region: us-east-1
11+
data:
12+
- key: /foo/name
13+
name: fooName
14+
- path: /extra-people/
15+
recursive: false

examples/ssm-example.yaml renamed to examples/aws-ssm.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
apiVersion: kubernetes-client.io/v1
22
kind: ExternalSecret
33
metadata:
4-
name: ssm-example
4+
name: aws-ssm
55
spec:
66
backendType: systemManager
77
# optional: specify role to assume when retrieving the data

0 commit comments

Comments
 (0)