Skip to content

Commit 1755b63

Browse files
bharath-b-rhbharath-b-rh
committed
ESO-83: Moves CertManagerConfig to ExternalSecretsConfig instead of WebhookConfig
1 parent 543f868 commit 1755b63

18 files changed

+208
-215
lines changed

api/v1alpha1/external_secrets_manager_types.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,7 @@ type ExternalSecretsManagerSpec struct {
6161
GlobalConfig *GlobalConfig `json:"globalConfig,omitempty"`
6262

6363
// features is for enabling the optional operator features.
64+
// +kubebuilder:validation:Optional
6465
Features []Feature `json:"features,omitempty"`
6566
}
6667

@@ -153,7 +154,7 @@ type Condition struct {
153154
Type string `json:"type"`
154155

155156
// status of the condition
156-
Status metav1.ConditionStatus `json:"status" `
157+
Status metav1.ConditionStatus `json:"status"`
157158

158159
// message provides details about the state.
159160
Message string `json:"message"`

api/v1alpha1/external_secrets_types.go

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -81,19 +81,24 @@ type ExternalSecretsConfig struct {
8181
// +kubebuilder:validation:Optional
8282
LogLevel int32 `json:"logLevel,omitempty"`
8383

84-
// bitwardenSecretManagerProvider is for enabling the bitwarden secrets manager provider and
85-
// for setting up the additional service required for connecting with the bitwarden server.
86-
// +kubebuilder:validation:Optional
87-
BitwardenSecretManagerProvider *BitwardenSecretManagerProvider `json:"bitwardenSecretManagerProvider,omitempty"`
88-
8984
// operatingNamespace is for restricting the external-secrets operations to provided namespace.
9085
// And when enabled `ClusterSecretStore` and `ClusterExternalSecret` are implicitly disabled.
9186
// +kubebuilder:validation:Optional
9287
OperatingNamespace string `json:"operatingNamespace,omitempty"`
9388

89+
// bitwardenSecretManagerProvider is for enabling the bitwarden secrets manager provider and
90+
// for setting up the additional service required for connecting with the bitwarden server.
91+
// +kubebuilder:validation:Optional
92+
BitwardenSecretManagerProvider *BitwardenSecretManagerProvider `json:"bitwardenSecretManagerProvider,omitempty"`
93+
9494
// webhookConfig is for configuring external-secrets webhook specifics.
9595
WebhookConfig *WebhookConfig `json:"webhookConfig,omitempty"`
9696

97+
// CertManagerConfig is for configuring cert-manager specifics, which will be used for generating
98+
// certificates for webhook and bitwarden-sdk-server components.
99+
// +kubebuilder:validation:Optional
100+
CertManagerConfig *CertManagerConfig `json:"certManagerConfig,omitempty"`
101+
97102
// resources is for defining the resource requirements.
98103
// Cannot be updated.
99104
// ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
@@ -159,19 +164,16 @@ type WebhookConfig struct {
159164
// +kubebuilder:default:="5m"
160165
// +kubebuilder:validation:Optional
161166
CertificateCheckInterval metav1.Duration `json:"certificateCheckInterval,omitempty"`
162-
163-
// CertManagerConfig is for configuring cert-manager specifics.
164-
// +kubebuilder:validation:Optional
165-
CertManagerConfig *CertManagerConfig `json:"certManagerConfig,omitempty"`
166167
}
167168

168169
// CertManagerConfig is for configuring cert-manager specifics.
169-
// +kubebuilder:validation:XValidation:rule="!has(oldSelf.issuerRef) && !has(self.issuerRef) || has(oldSelf.issuerRef) && has(self.issuerRef)",message="issuerRef may only be configured during creation"
170+
// +kubebuilder:validation:XValidation:rule="has(self.addInjectorAnnotations) && self.addInjectorAnnotations != 'false' ? self.enabled != 'false' : true",message="certManagerConfig must have enabled set, to set addInjectorAnnotations"
170171
type CertManagerConfig struct {
171172
// enabled is for enabling the use of cert-manager for obtaining and renewing the
172173
// certificates used for webhook server, instead of built-in certificates.
173174
// Use `true` or `false` to indicate the preference.
174175
// +kubebuilder:default:="false"
176+
// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="enabled is immutable once set"
175177
// +kubebuilder:validation:Enum:="true";"false"
176178
// +kubebuilder:validation:Required
177179
Enabled string `json:"enabled,omitempty"`
@@ -198,6 +200,7 @@ type CertManagerConfig struct {
198200

199201
// certificateRenewBefore is the ahead time to renew the webhook certificate
200202
// before expiry.
203+
// +kubebuilder:default:="30m"
201204
// +kubebuilder:validation:Optional
202205
CertificateRenewBefore *metav1.Duration `json:"certificateRenewBefore,omitempty"`
203206
}

api/v1alpha1/meta.go

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,18 +16,20 @@ type ConditionalStatus struct {
1616
// ObjectReference is a reference to an object with a given name, kind and group.
1717
type ObjectReference struct {
1818
// Name of the resource being referred to.
19+
// +kubebuilder:validation:Required
1920
Name string `json:"name"`
2021
// Kind of the resource being referred to.
21-
// +optional
22+
// +kubebuilder:validation:Optional
2223
Kind string `json:"kind,omitempty"`
2324
// Group of the resource being referred to.
24-
// +optional
25+
// +kubebuilder:validation:Optional
2526
Group string `json:"group,omitempty"`
2627
}
2728

2829
// SecretReference is a reference to the secret with the given name, which should exist
2930
// in the same namespace where it will be utilized.
3031
type SecretReference struct {
3132
// Name of the secret resource being referred to.
33+
// +kubebuilder:validation:Required
3234
Name string `json:"name"`
3335
}

api/v1alpha1/zz_generated.deepcopy.go

Lines changed: 5 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

bundle/manifests/operator.openshift.io_externalsecrets.yaml

Lines changed: 68 additions & 64 deletions
Original file line numberDiff line numberDiff line change
@@ -1033,6 +1033,74 @@ spec:
10331033
- name
10341034
type: object
10351035
type: object
1036+
certManagerConfig:
1037+
description: |-
1038+
CertManagerConfig is for configuring cert-manager specifics, which will be used for generating
1039+
certificates for webhook and bitwarden-sdk-server components.
1040+
properties:
1041+
addInjectorAnnotations:
1042+
default: "false"
1043+
description: |-
1044+
addInjectorAnnotations is for adding the `cert-manager.io/inject-ca-from` annotation to the
1045+
webhooks and CRDs to automatically setup webhook to the cert-manager CA. This requires
1046+
CA Injector to be enabled in cert-manager. Use `true` or `false` to indicate the preference.
1047+
enum:
1048+
- "true"
1049+
- "false"
1050+
type: string
1051+
certificateDuration:
1052+
default: 8760h
1053+
description: certificateDuration is the validity period of
1054+
the webhook certificate.
1055+
type: string
1056+
certificateRenewBefore:
1057+
default: 30m
1058+
description: |-
1059+
certificateRenewBefore is the ahead time to renew the webhook certificate
1060+
before expiry.
1061+
type: string
1062+
enabled:
1063+
default: "false"
1064+
description: |-
1065+
enabled is for enabling the use of cert-manager for obtaining and renewing the
1066+
certificates used for webhook server, instead of built-in certificates.
1067+
Use `true` or `false` to indicate the preference.
1068+
enum:
1069+
- "true"
1070+
- "false"
1071+
type: string
1072+
x-kubernetes-validations:
1073+
- message: enabled is immutable once set
1074+
rule: self == oldSelf
1075+
issuerRef:
1076+
description: |-
1077+
issuerRef contains details to the referenced object used for
1078+
obtaining the certificates. It must exist in the external-secrets
1079+
namespace if not using a cluster-scoped cert-manager issuer.
1080+
properties:
1081+
group:
1082+
description: Group of the resource being referred to.
1083+
type: string
1084+
kind:
1085+
description: Kind of the resource being referred to.
1086+
type: string
1087+
name:
1088+
description: Name of the resource being referred to.
1089+
type: string
1090+
required:
1091+
- name
1092+
type: object
1093+
x-kubernetes-validations:
1094+
- message: issuerRef is immutable once set
1095+
rule: self == oldSelf
1096+
required:
1097+
- enabled
1098+
- issuerRef
1099+
type: object
1100+
x-kubernetes-validations:
1101+
- message: certManagerConfig must have enabled set, to set addInjectorAnnotations
1102+
rule: 'has(self.addInjectorAnnotations) && self.addInjectorAnnotations
1103+
!= ''false'' ? self.enabled != ''false'' : true'
10361104
logLevel:
10371105
default: 1
10381106
description: logLevel supports value range as per [kubernetes
@@ -1162,70 +1230,6 @@ spec:
11621230
description: webhookConfig is for configuring external-secrets
11631231
webhook specifics.
11641232
properties:
1165-
certManagerConfig:
1166-
description: CertManagerConfig is for configuring cert-manager
1167-
specifics.
1168-
properties:
1169-
addInjectorAnnotations:
1170-
default: "false"
1171-
description: |-
1172-
addInjectorAnnotations is for adding the `cert-manager.io/inject-ca-from` annotation to the
1173-
webhooks and CRDs to automatically setup webhook to the cert-manager CA. This requires
1174-
CA Injector to be enabled in cert-manager. Use `true` or `false` to indicate the preference.
1175-
enum:
1176-
- "true"
1177-
- "false"
1178-
type: string
1179-
certificateDuration:
1180-
default: 8760h
1181-
description: certificateDuration is the validity period
1182-
of the webhook certificate.
1183-
type: string
1184-
certificateRenewBefore:
1185-
description: |-
1186-
certificateRenewBefore is the ahead time to renew the webhook certificate
1187-
before expiry.
1188-
type: string
1189-
enabled:
1190-
default: "false"
1191-
description: |-
1192-
enabled is for enabling the use of cert-manager for obtaining and renewing the
1193-
certificates used for webhook server, instead of built-in certificates.
1194-
Use `true` or `false` to indicate the preference.
1195-
enum:
1196-
- "true"
1197-
- "false"
1198-
type: string
1199-
issuerRef:
1200-
description: |-
1201-
issuerRef contains details to the referenced object used for
1202-
obtaining the certificates. It must exist in the external-secrets
1203-
namespace if not using a cluster-scoped cert-manager issuer.
1204-
properties:
1205-
group:
1206-
description: Group of the resource being referred
1207-
to.
1208-
type: string
1209-
kind:
1210-
description: Kind of the resource being referred to.
1211-
type: string
1212-
name:
1213-
description: Name of the resource being referred to.
1214-
type: string
1215-
required:
1216-
- name
1217-
type: object
1218-
x-kubernetes-validations:
1219-
- message: issuerRef is immutable once set
1220-
rule: self == oldSelf
1221-
required:
1222-
- enabled
1223-
- issuerRef
1224-
type: object
1225-
x-kubernetes-validations:
1226-
- message: issuerRef may only be configured during creation
1227-
rule: '!has(oldSelf.issuerRef) && !has(self.issuerRef) ||
1228-
has(oldSelf.issuerRef) && has(self.issuerRef)'
12291233
certificateCheckInterval:
12301234
default: 5m
12311235
description: |-

0 commit comments

Comments
 (0)