From a29293835ca57509ea278946b3c030203906aa9e Mon Sep 17 00:00:00 2001 From: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Date: Wed, 20 Nov 2024 21:15:01 +0100 Subject: [PATCH] chore: bump version v0.10.6 Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> --- Makefile | 2 +- ...ecrets-operator.clusterserviceversion.yaml | 13 +- ...nal-secrets.io_clusterexternalsecrets.yaml | 6 +- ...ternal-secrets.io_clustersecretstores.yaml | 2 +- .../external-secrets.io_externalsecrets.yaml | 6 +- .../external-secrets.io_pushsecrets.yaml | 2 +- .../external-secrets.io_secretstores.yaml | 2 +- ...s.external-secrets.io_acraccesstokens.yaml | 2 +- ...nal-secrets.io_ecrauthorizationtokens.yaml | 2 +- .../generators.external-secrets.io_fakes.yaml | 2 +- ...s.external-secrets.io_gcraccesstokens.yaml | 2 +- ...xternal-secrets.io_githubaccesstokens.yaml | 15 +- ...erators.external-secrets.io_passwords.yaml | 2 +- ....external-secrets.io_stssessiontokens.yaml | 200 ++++++++++++++++++ .../generators.external-secrets.io_uuids.yaml | 2 +- ...ternal-secrets.io_vaultdynamicsecrets.yaml | 11 +- ...nerators.external-secrets.io_webhooks.yaml | 2 +- config/manager/kustomization.yaml | 2 +- ...ecrets-operator.clusterserviceversion.yaml | 2 +- config/manifests/crds/acraccesstoken.yml | 2 +- .../manifests/crds/clusterexternalsecret.yml | 6 +- config/manifests/crds/clustersecretstore.yml | 2 +- .../manifests/crds/ecrauthorizationtoken.yml | 2 +- config/manifests/crds/externalsecret.yml | 6 +- config/manifests/crds/fake.yml | 2 +- config/manifests/crds/gcraccesstoken.yml | 2 +- config/manifests/crds/githubaccesstoken.yml | 14 +- config/manifests/crds/password.yml | 2 +- config/manifests/crds/pushsecret.yml | 2 +- config/manifests/crds/secretstore.yml | 2 +- config/manifests/crds/stssessiontoken.yml | 187 ++++++++++++++++ config/manifests/crds/uuid.yml | 2 +- config/manifests/crds/vaultdynamicsecret.yml | 11 +- config/manifests/crds/webhook.yml | 2 +- config/manifests/kustomization.yaml | 1 + 35 files changed, 482 insertions(+), 40 deletions(-) create mode 100644 bundle/manifests/generators.external-secrets.io_stssessiontokens.yaml create mode 100644 config/manifests/crds/stssessiontoken.yml diff --git a/Makefile b/Makefile index d459b89..9e8ac57 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ # To re-generate a bundle for another specific version without changing the standard setup, you can: # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) -VERSION ?= 0.10.5 +VERSION ?= 0.10.6 # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") diff --git a/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml b/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml index 1ec137a..aea0b2e 100644 --- a/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml +++ b/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml @@ -671,8 +671,8 @@ metadata: capabilities: Deep Insights categories: Security certified: "false" - containerImage: ghcr.io/external-secrets/external-secrets-helm-operator:v0.10.5 - createdAt: "2024-10-25T08:32:11Z" + containerImage: ghcr.io/external-secrets/external-secrets-helm-operator:v0.10.6 + createdAt: "2024-11-20T20:14:01Z" description: Operator to configure external-secrets helm-chart based operator operatorframework.io/cluster-monitoring: "true" operators.openshift.io/infrastructure-features: '["Disconnected"]' @@ -684,7 +684,7 @@ metadata: operatorframework.io/arch.amd64: supported operatorframework.io/arch.ppc64le: supported operatorframework.io/os.linux: supported - name: external-secrets-operator.v0.10.5 + name: external-secrets-operator.v0.10.6 namespace: external-secrets spec: apiservicedefinitions: {} @@ -752,6 +752,9 @@ spec: kind: SecretStore name: secretstores.external-secrets.io version: v1beta1 + - kind: STSSessionToken + name: stssessiontokens.generators.external-secrets.io + version: v1alpha1 - kind: UUID name: uuids.generators.external-secrets.io version: v1alpha1 @@ -979,7 +982,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.annotations['olm.targetNamespaces'] - image: ghcr.io/external-secrets/external-secrets-helm-operator:v0.10.5 + image: ghcr.io/external-secrets/external-secrets-helm-operator:v0.10.6 livenessProbe: httpGet: path: /healthz @@ -1077,4 +1080,4 @@ spec: provider: name: External Secrets url: https://external-secrets.io - version: 0.10.5 + version: 0.10.6 diff --git a/bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml b/bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml index 0bfabc9..7e404d7 100644 --- a/bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml +++ b/bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null labels: external-secrets.io/component: controller @@ -368,8 +368,10 @@ spec: refreshInterval: default: 1h description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider + RefreshInterval is the amount of time before the values are read again from the SecretStore provider, + specified as Golang Duration strings. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + Example values: "1h", "2h30m", "5d", "10s" May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: diff --git a/bundle/manifests/external-secrets.io_clustersecretstores.yaml b/bundle/manifests/external-secrets.io_clustersecretstores.yaml index 24fb980..a40f554 100644 --- a/bundle/manifests/external-secrets.io_clustersecretstores.yaml +++ b/bundle/manifests/external-secrets.io_clustersecretstores.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/external-secrets.io_externalsecrets.yaml b/bundle/manifests/external-secrets.io_externalsecrets.yaml index 859881a..82fb291 100644 --- a/bundle/manifests/external-secrets.io_externalsecrets.yaml +++ b/bundle/manifests/external-secrets.io_externalsecrets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null labels: external-secrets.io/component: controller @@ -632,8 +632,10 @@ spec: refreshInterval: default: 1h description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider + RefreshInterval is the amount of time before the values are read again from the SecretStore provider, + specified as Golang Duration strings. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + Example values: "1h", "2h30m", "5d", "10s" May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: diff --git a/bundle/manifests/external-secrets.io_pushsecrets.yaml b/bundle/manifests/external-secrets.io_pushsecrets.yaml index 7779d40..5d1cc0a 100644 --- a/bundle/manifests/external-secrets.io_pushsecrets.yaml +++ b/bundle/manifests/external-secrets.io_pushsecrets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/external-secrets.io_secretstores.yaml b/bundle/manifests/external-secrets.io_secretstores.yaml index 2aee64b..d9e62c1 100644 --- a/bundle/manifests/external-secrets.io_secretstores.yaml +++ b/bundle/manifests/external-secrets.io_secretstores.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml b/bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml index 96f35ba..61760c6 100644 --- a/bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml +++ b/bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml b/bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml index de98f1f..9173a64 100644 --- a/bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml +++ b/bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/generators.external-secrets.io_fakes.yaml b/bundle/manifests/generators.external-secrets.io_fakes.yaml index 1acd925..4c4df8e 100644 --- a/bundle/manifests/generators.external-secrets.io_fakes.yaml +++ b/bundle/manifests/generators.external-secrets.io_fakes.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml b/bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml index d915f23..c2a8fd9 100644 --- a/bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml +++ b/bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml b/bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml index 5090832..720fa86 100644 --- a/bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml +++ b/bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null labels: external-secrets.io/component: controller @@ -90,6 +90,19 @@ spec: type: object installID: type: string + permissions: + additionalProperties: + type: string + description: Map of permissions the token will have. If omitted, defaults + to all permissions the GitHub App has. + type: object + repositories: + description: |- + List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App + is installed to. + items: + type: string + type: array url: description: URL configures the Github instance URL. Defaults to https://github.com/. type: string diff --git a/bundle/manifests/generators.external-secrets.io_passwords.yaml b/bundle/manifests/generators.external-secrets.io_passwords.yaml index 88d0de2..57d50e1 100644 --- a/bundle/manifests/generators.external-secrets.io_passwords.yaml +++ b/bundle/manifests/generators.external-secrets.io_passwords.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/generators.external-secrets.io_stssessiontokens.yaml b/bundle/manifests/generators.external-secrets.io_stssessiontokens.yaml new file mode 100644 index 0000000..f241e7f --- /dev/null +++ b/bundle/manifests/generators.external-secrets.io_stssessiontokens.yaml @@ -0,0 +1,200 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.5 + creationTimestamp: null + labels: + external-secrets.io/component: controller + name: stssessiontokens.generators.external-secrets.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: kubernetes + namespace: default + path: /convert + conversionReviewVersions: + - v1 + group: generators.external-secrets.io + names: + categories: + - external-secrets + - external-secrets-generators + kind: STSSessionToken + listKind: STSSessionTokenList + plural: stssessiontokens + shortNames: + - stssessiontoken + singular: stssessiontoken + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + STSSessionToken uses the GetSessionToken API to retrieve an authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded. + For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + auth: + description: Auth defines how to authenticate with AWS + properties: + jwt: + description: Authenticate against AWS using service account tokens. + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + required: + - name + type: object + type: object + secretRef: + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred + to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred + to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred + to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + type: object + region: + description: Region specifies the region to operate in. + type: string + requestParameters: + description: RequestParameters contains parameters that can be passed + to the STS service. + properties: + serialNumber: + description: |- + SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making + the GetSessionToken call. + Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device + (such as arn:aws:iam::123456789012:mfa/user) + type: string + sessionDuration: + description: |- + SessionDuration The duration, in seconds, that the credentials should remain valid. Acceptable durations for + IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds + (12 hours) as the default. + format: int64 + type: integer + tokenCode: + description: TokenCode is the value provided by the MFA device, + if MFA is required. + type: string + type: object + role: + description: |- + You can assume a role before making calls to the + desired AWS service. + type: string + required: + - region + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/bundle/manifests/generators.external-secrets.io_uuids.yaml b/bundle/manifests/generators.external-secrets.io_uuids.yaml index 25252a3..70d9b6c 100644 --- a/bundle/manifests/generators.external-secrets.io_uuids.yaml +++ b/bundle/manifests/generators.external-secrets.io_uuids.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml b/bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml index 8bff0a9..c57cb5b 100644 --- a/bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml +++ b/bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null labels: external-secrets.io/component: controller @@ -721,6 +721,15 @@ spec: - Data - Auth type: string + retrySettings: + description: Used to configure http retries if failed + properties: + maxRetries: + format: int32 + type: integer + retryInterval: + type: string + type: object required: - path - provider diff --git a/bundle/manifests/generators.external-secrets.io_webhooks.yaml b/bundle/manifests/generators.external-secrets.io_webhooks.yaml index 66f1b5d..a9adbaf 100644 --- a/bundle/manifests/generators.external-secrets.io_webhooks.yaml +++ b/bundle/manifests/generators.external-secrets.io_webhooks.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 2c6dd33..e354aab 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -13,4 +13,4 @@ kind: Kustomization images: - name: controller newName: ghcr.io/external-secrets/external-secrets-helm-operator - newTag: v0.10.5 + newTag: v0.10.6 diff --git a/config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml b/config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml index b458a59..5f7a629 100644 --- a/config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml @@ -6,7 +6,7 @@ metadata: capabilities: Deep Insights categories: Security certified: "false" - containerImage: ghcr.io/external-secrets/external-secrets-helm-operator:v0.10.5 + containerImage: ghcr.io/external-secrets/external-secrets-helm-operator:v0.10.6 createdAt: "2021-11-22 00:00:00" description: Operator to configure external-secrets helm-chart based operator operatorframework.io/cluster-monitoring: "true" diff --git a/config/manifests/crds/acraccesstoken.yml b/config/manifests/crds/acraccesstoken.yml index 1019320..2183109 100644 --- a/config/manifests/crds/acraccesstoken.yml +++ b/config/manifests/crds/acraccesstoken.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: acraccesstokens.generators.external-secrets.io diff --git a/config/manifests/crds/clusterexternalsecret.yml b/config/manifests/crds/clusterexternalsecret.yml index 2552566..1265311 100644 --- a/config/manifests/crds/clusterexternalsecret.yml +++ b/config/manifests/crds/clusterexternalsecret.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: clusterexternalsecrets.external-secrets.io @@ -335,8 +335,10 @@ spec: refreshInterval: default: 1h description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider + RefreshInterval is the amount of time before the values are read again from the SecretStore provider, + specified as Golang Duration strings. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + Example values: "1h", "2h30m", "5d", "10s" May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: diff --git a/config/manifests/crds/clustersecretstore.yml b/config/manifests/crds/clustersecretstore.yml index 6f7f5b5..fb80bfb 100644 --- a/config/manifests/crds/clustersecretstore.yml +++ b/config/manifests/crds/clustersecretstore.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: clustersecretstores.external-secrets.io diff --git a/config/manifests/crds/ecrauthorizationtoken.yml b/config/manifests/crds/ecrauthorizationtoken.yml index 121d936..72ad7e3 100644 --- a/config/manifests/crds/ecrauthorizationtoken.yml +++ b/config/manifests/crds/ecrauthorizationtoken.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: ecrauthorizationtokens.generators.external-secrets.io diff --git a/config/manifests/crds/externalsecret.yml b/config/manifests/crds/externalsecret.yml index 35d366b..f965a0f 100644 --- a/config/manifests/crds/externalsecret.yml +++ b/config/manifests/crds/externalsecret.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: externalsecrets.external-secrets.io @@ -591,8 +591,10 @@ spec: refreshInterval: default: 1h description: |- - RefreshInterval is the amount of time before the values are read again from the SecretStore provider + RefreshInterval is the amount of time before the values are read again from the SecretStore provider, + specified as Golang Duration strings. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + Example values: "1h", "2h30m", "5d", "10s" May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: diff --git a/config/manifests/crds/fake.yml b/config/manifests/crds/fake.yml index 27f4dcd..4bcfcc7 100644 --- a/config/manifests/crds/fake.yml +++ b/config/manifests/crds/fake.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: fakes.generators.external-secrets.io diff --git a/config/manifests/crds/gcraccesstoken.yml b/config/manifests/crds/gcraccesstoken.yml index ee01ffb..3eada91 100644 --- a/config/manifests/crds/gcraccesstoken.yml +++ b/config/manifests/crds/gcraccesstoken.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: gcraccesstokens.generators.external-secrets.io diff --git a/config/manifests/crds/githubaccesstoken.yml b/config/manifests/crds/githubaccesstoken.yml index 9d11388..e522d83 100644 --- a/config/manifests/crds/githubaccesstoken.yml +++ b/config/manifests/crds/githubaccesstoken.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: githubaccesstokens.generators.external-secrets.io @@ -78,6 +78,18 @@ spec: type: object installID: type: string + permissions: + additionalProperties: + type: string + description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has. + type: object + repositories: + description: |- + List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App + is installed to. + items: + type: string + type: array url: description: URL configures the Github instance URL. Defaults to https://github.com/. type: string diff --git a/config/manifests/crds/password.yml b/config/manifests/crds/password.yml index 1eed80b..950ad17 100644 --- a/config/manifests/crds/password.yml +++ b/config/manifests/crds/password.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: passwords.generators.external-secrets.io diff --git a/config/manifests/crds/pushsecret.yml b/config/manifests/crds/pushsecret.yml index e628073..6f0fdc1 100644 --- a/config/manifests/crds/pushsecret.yml +++ b/config/manifests/crds/pushsecret.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: pushsecrets.external-secrets.io diff --git a/config/manifests/crds/secretstore.yml b/config/manifests/crds/secretstore.yml index 1740ef8..546e872 100644 --- a/config/manifests/crds/secretstore.yml +++ b/config/manifests/crds/secretstore.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: secretstores.external-secrets.io diff --git a/config/manifests/crds/stssessiontoken.yml b/config/manifests/crds/stssessiontoken.yml new file mode 100644 index 0000000..498bf7b --- /dev/null +++ b/config/manifests/crds/stssessiontoken.yml @@ -0,0 +1,187 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.5 + labels: + external-secrets.io/component: controller + name: stssessiontokens.generators.external-secrets.io +spec: + group: generators.external-secrets.io + names: + categories: + - external-secrets + - external-secrets-generators + kind: STSSessionToken + listKind: STSSessionTokenList + plural: stssessiontokens + shortNames: + - stssessiontoken + singular: stssessiontoken + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + STSSessionToken uses the GetSessionToken API to retrieve an authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded. + For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + auth: + description: Auth defines how to authenticate with AWS + properties: + jwt: + description: Authenticate against AWS using service account tokens. + properties: + serviceAccountRef: + description: A reference to a ServiceAccount resource. + properties: + audiences: + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + required: + - name + type: object + type: object + secretRef: + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + properties: + accessKeyIDSecretRef: + description: The AccessKeyID is used for authentication + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + sessionTokenSecretRef: + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object + type: object + region: + description: Region specifies the region to operate in. + type: string + requestParameters: + description: RequestParameters contains parameters that can be passed to the STS service. + properties: + serialNumber: + description: |- + SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making + the GetSessionToken call. + Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device + (such as arn:aws:iam::123456789012:mfa/user) + type: string + sessionDuration: + description: |- + SessionDuration The duration, in seconds, that the credentials should remain valid. Acceptable durations for + IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds + (12 hours) as the default. + format: int64 + type: integer + tokenCode: + description: TokenCode is the value provided by the MFA device, if MFA is required. + type: string + type: object + role: + description: |- + You can assume a role before making calls to the + desired AWS service. + type: string + required: + - region + type: object + type: object + served: true + storage: true + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: + - v1 + clientConfig: + service: + name: kubernetes + namespace: default + path: /convert diff --git a/config/manifests/crds/uuid.yml b/config/manifests/crds/uuid.yml index 6902b01..26dc344 100644 --- a/config/manifests/crds/uuid.yml +++ b/config/manifests/crds/uuid.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: uuids.generators.external-secrets.io diff --git a/config/manifests/crds/vaultdynamicsecret.yml b/config/manifests/crds/vaultdynamicsecret.yml index 9f5e5d0..d9e0faa 100644 --- a/config/manifests/crds/vaultdynamicsecret.yml +++ b/config/manifests/crds/vaultdynamicsecret.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: vaultdynamicsecrets.generators.external-secrets.io @@ -677,6 +677,15 @@ spec: - Data - Auth type: string + retrySettings: + description: Used to configure http retries if failed + properties: + maxRetries: + format: int32 + type: integer + retryInterval: + type: string + type: object required: - path - provider diff --git a/config/manifests/crds/webhook.yml b/config/manifests/crds/webhook.yml index ea7c350..74f5419 100644 --- a/config/manifests/crds/webhook.yml +++ b/config/manifests/crds/webhook.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.5 labels: external-secrets.io/component: controller name: webhooks.generators.external-secrets.io diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 6e5f60e..936b498 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -23,3 +23,4 @@ resources: - crds/webhook.yml - crds/githubaccesstoken.yml - crds/uuid.yml +- crds/stssessiontoken.yml