From 2fcdc0d7edba692b2741be286e0ed8d8b7a29f02 Mon Sep 17 00:00:00 2001 From: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Date: Wed, 28 Aug 2024 12:24:50 +0200 Subject: [PATCH] chore: bump version v0.10.1 Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> --- Makefile | 2 +- ...ecrets-operator.clusterserviceversion.yaml | 12 +- ...nal-secrets.io_clusterexternalsecrets.yaml | 3 +- ...ternal-secrets.io_clustersecretstores.yaml | 180 +++++++++++++++++- .../external-secrets.io_externalsecrets.yaml | 7 +- .../external-secrets.io_pushsecrets.yaml | 2 +- .../external-secrets.io_secretstores.yaml | 180 +++++++++++++++++- ...s.external-secrets.io_acraccesstokens.yaml | 5 +- ...nal-secrets.io_ecrauthorizationtokens.yaml | 2 +- .../generators.external-secrets.io_fakes.yaml | 2 +- ...s.external-secrets.io_gcraccesstokens.yaml | 2 +- ...xternal-secrets.io_githubaccesstokens.yaml | 2 +- ...erators.external-secrets.io_passwords.yaml | 2 +- ...ternal-secrets.io_vaultdynamicsecrets.yaml | 2 +- ...nerators.external-secrets.io_webhooks.yaml | 2 +- bundle/metadata/annotations.yaml | 1 - config/manager/kustomization.yaml | 2 +- ...ecrets-operator.clusterserviceversion.yaml | 2 +- config/manifests/crds/acraccesstoken.yml | 5 +- .../manifests/crds/clusterexternalsecret.yml | 3 +- config/manifests/crds/clustersecretstore.yml | 155 ++++++++++++++- .../manifests/crds/ecrauthorizationtoken.yml | 2 +- config/manifests/crds/externalsecret.yml | 7 +- config/manifests/crds/fake.yml | 2 +- config/manifests/crds/gcraccesstoken.yml | 2 +- config/manifests/crds/githubaccesstoken.yml | 2 +- config/manifests/crds/password.yml | 2 +- config/manifests/crds/pushsecret.yml | 2 +- config/manifests/crds/secretstore.yml | 155 ++++++++++++++- config/manifests/crds/vaultdynamicsecret.yml | 2 +- config/manifests/crds/webhook.yml | 2 +- 31 files changed, 693 insertions(+), 58 deletions(-) diff --git a/Makefile b/Makefile index be242cb..ec2f070 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ # To re-generate a bundle for another specific version without changing the standard setup, you can: # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) -VERSION ?= 0.10.0 +VERSION ?= 0.10.1 # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") diff --git a/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml b/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml index 3b02300..a6f898b 100644 --- a/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml +++ b/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml @@ -375,7 +375,7 @@ metadata: "kind": "ExternalSecret", "metadata": { "annotations": { - "acme.org/sha": "1234" + "acme.org/sha": 1234 }, "labels": { "acme.org/owned-by": "q-team" @@ -671,8 +671,8 @@ metadata: capabilities: Deep Insights categories: Security certified: "false" - containerImage: ghcr.io/external-secrets/external-secrets-helm-operator:v0.10.0 - createdAt: "2024-08-05T14:35:24Z" + containerImage: ghcr.io/external-secrets/external-secrets-helm-operator:v0.10.1 + createdAt: "2024-08-28T10:24:30Z" description: Operator to configure external-secrets helm-chart based operator operatorframework.io/cluster-monitoring: "true" operators.openshift.io/infrastructure-features: '["Disconnected"]' @@ -684,7 +684,7 @@ metadata: operatorframework.io/arch.amd64: supported operatorframework.io/arch.ppc64le: supported operatorframework.io/os.linux: supported - name: external-secrets-operator.v0.10.0 + name: external-secrets-operator.v0.10.1 namespace: external-secrets spec: apiservicedefinitions: {} @@ -976,7 +976,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.annotations['olm.targetNamespaces'] - image: ghcr.io/external-secrets/external-secrets-helm-operator:v0.10.0 + image: ghcr.io/external-secrets/external-secrets-helm-operator:v0.10.1 livenessProbe: httpGet: path: /healthz @@ -1074,4 +1074,4 @@ spec: provider: name: External Secrets url: https://external-secrets.io - version: 0.10.0 + version: 0.10.1 diff --git a/bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml b/bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml index ed3cda9..3422a74 100644 --- a/bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml +++ b/bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 creationTimestamp: null labels: external-secrets.io/component: controller @@ -152,7 +152,6 @@ spec: description: |- GeneratorRef points to a generator custom resource. - Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1. properties: diff --git a/bundle/manifests/external-secrets.io_clustersecretstores.yaml b/bundle/manifests/external-secrets.io_clustersecretstores.yaml index 475d4e0..e9c9beb 100644 --- a/bundle/manifests/external-secrets.io_clustersecretstores.yaml +++ b/bundle/manifests/external-secrets.io_clustersecretstores.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 creationTimestamp: null labels: external-secrets.io/component: controller @@ -2308,6 +2308,156 @@ spec: required: - vaultUrl type: object + beyondtrust: + description: Beyondtrust configures this store to sync secrets + using Password Safe provider. + properties: + auth: + description: Auth configures how the operator authenticates + with Beyondtrust. + properties: + certificate: + description: Content of the certificate (cert.pem) for + use when authenticating with an OAuth client Id using + a Client Certificate. + properties: + secretRef: + description: SecretRef references a key in a secret + that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set + a value without using a secret. + type: string + type: object + certificateKey: + description: Certificate private key (key.pem). For use + when authenticating with an OAuth client Id + properties: + secretRef: + description: SecretRef references a key in a secret + that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set + a value without using a secret. + type: string + type: object + clientId: + properties: + secretRef: + description: SecretRef references a key in a secret + that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set + a value without using a secret. + type: string + type: object + clientSecret: + properties: + secretRef: + description: SecretRef references a key in a secret + that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set + a value without using a secret. + type: string + type: object + required: + - clientId + - clientSecret + type: object + server: + description: Auth configures how API server works. + properties: + apiUrl: + type: string + clientTimeOutSeconds: + description: Timeout specifies a time limit for requests + made by this Client. The timeout includes connection + time, any redirects, and reading the response body. + Defaults to 45 seconds. + type: integer + retrievalType: + description: The secret retrieval type. SECRET = Secrets + Safe (credential, text, file). MANAGED_ACCOUNT = Password + Safe account associated with a system. + type: string + separator: + description: A character that separates the folder names. + type: string + verifyCA: + type: boolean + required: + - apiUrl + - verifyCA + type: object + required: + - auth + - server + type: object bitwardensecretsmanager: description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider @@ -2354,6 +2504,33 @@ spec: Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack can be performed. type: string + caProvider: + description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' + properties: + key: + description: The key where the CA certificate can be found + in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider + type. + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", + or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object identityURL: type: string organizationID: @@ -2366,7 +2543,6 @@ spec: type: string required: - auth - - caBundle - organizationID - projectID type: object diff --git a/bundle/manifests/external-secrets.io_externalsecrets.yaml b/bundle/manifests/external-secrets.io_externalsecrets.yaml index 7f5f487..1652d1f 100644 --- a/bundle/manifests/external-secrets.io_externalsecrets.yaml +++ b/bundle/manifests/external-secrets.io_externalsecrets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 creationTimestamp: null labels: external-secrets.io/component: controller @@ -273,9 +273,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -419,7 +417,6 @@ spec: description: |- GeneratorRef points to a generator custom resource. - Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1. properties: @@ -807,9 +804,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic diff --git a/bundle/manifests/external-secrets.io_pushsecrets.yaml b/bundle/manifests/external-secrets.io_pushsecrets.yaml index 19f5fd6..fcd2e91 100644 --- a/bundle/manifests/external-secrets.io_pushsecrets.yaml +++ b/bundle/manifests/external-secrets.io_pushsecrets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 creationTimestamp: null name: pushsecrets.external-secrets.io spec: diff --git a/bundle/manifests/external-secrets.io_secretstores.yaml b/bundle/manifests/external-secrets.io_secretstores.yaml index cc749e9..b3de553 100644 --- a/bundle/manifests/external-secrets.io_secretstores.yaml +++ b/bundle/manifests/external-secrets.io_secretstores.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 creationTimestamp: null labels: external-secrets.io/component: controller @@ -2308,6 +2308,156 @@ spec: required: - vaultUrl type: object + beyondtrust: + description: Beyondtrust configures this store to sync secrets + using Password Safe provider. + properties: + auth: + description: Auth configures how the operator authenticates + with Beyondtrust. + properties: + certificate: + description: Content of the certificate (cert.pem) for + use when authenticating with an OAuth client Id using + a Client Certificate. + properties: + secretRef: + description: SecretRef references a key in a secret + that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set + a value without using a secret. + type: string + type: object + certificateKey: + description: Certificate private key (key.pem). For use + when authenticating with an OAuth client Id + properties: + secretRef: + description: SecretRef references a key in a secret + that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set + a value without using a secret. + type: string + type: object + clientId: + properties: + secretRef: + description: SecretRef references a key in a secret + that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set + a value without using a secret. + type: string + type: object + clientSecret: + properties: + secretRef: + description: SecretRef references a key in a secret + that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being + referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set + a value without using a secret. + type: string + type: object + required: + - clientId + - clientSecret + type: object + server: + description: Auth configures how API server works. + properties: + apiUrl: + type: string + clientTimeOutSeconds: + description: Timeout specifies a time limit for requests + made by this Client. The timeout includes connection + time, any redirects, and reading the response body. + Defaults to 45 seconds. + type: integer + retrievalType: + description: The secret retrieval type. SECRET = Secrets + Safe (credential, text, file). MANAGED_ACCOUNT = Password + Safe account associated with a system. + type: string + separator: + description: A character that separates the folder names. + type: string + verifyCA: + type: boolean + required: + - apiUrl + - verifyCA + type: object + required: + - auth + - server + type: object bitwardensecretsmanager: description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider @@ -2354,6 +2504,33 @@ spec: Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack can be performed. type: string + caProvider: + description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' + properties: + key: + description: The key where the CA certificate can be found + in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider + type. + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", + or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object identityURL: type: string organizationID: @@ -2366,7 +2543,6 @@ spec: type: string required: - auth - - caBundle - organizationID - projectID type: object diff --git a/bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml b/bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml index ad53825..c9bc103 100644 --- a/bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml +++ b/bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 creationTimestamp: null labels: external-secrets.io/component: controller @@ -41,7 +41,6 @@ spec: This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. - See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: @@ -184,12 +183,10 @@ spec: if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. - examples: repository:my-repository:pull,push repository:my-repository:pull - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: diff --git a/bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml b/bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml index dd7ebfc..79b7a24 100644 --- a/bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml +++ b/bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/generators.external-secrets.io_fakes.yaml b/bundle/manifests/generators.external-secrets.io_fakes.yaml index 5d1121e..70bcf75 100644 --- a/bundle/manifests/generators.external-secrets.io_fakes.yaml +++ b/bundle/manifests/generators.external-secrets.io_fakes.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml b/bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml index 483212b..e61f3d9 100644 --- a/bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml +++ b/bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml b/bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml index 4985b6d..c394c0b 100644 --- a/bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml +++ b/bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/generators.external-secrets.io_passwords.yaml b/bundle/manifests/generators.external-secrets.io_passwords.yaml index 2abd93f..9f96d79 100644 --- a/bundle/manifests/generators.external-secrets.io_passwords.yaml +++ b/bundle/manifests/generators.external-secrets.io_passwords.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml b/bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml index 992531d..842388d 100644 --- a/bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml +++ b/bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/manifests/generators.external-secrets.io_webhooks.yaml b/bundle/manifests/generators.external-secrets.io_webhooks.yaml index 1202ba9..5519897 100644 --- a/bundle/manifests/generators.external-secrets.io_webhooks.yaml +++ b/bundle/manifests/generators.external-secrets.io_webhooks.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 creationTimestamp: null labels: external-secrets.io/component: controller diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml index f77459a..e846447 100644 --- a/bundle/metadata/annotations.yaml +++ b/bundle/metadata/annotations.yaml @@ -9,7 +9,6 @@ annotations: operators.operatorframework.io.metrics.builder: operator-sdk-v1.32.0 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 operators.operatorframework.io.metrics.project_layout: helm.sdk.operatorframework.io/v1 - com.redhat.openshift.versions: v4.11 # Annotations for testing. operators.operatorframework.io.test.mediatype.v1: scorecard+v1 diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 30a97c4..78759f6 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -13,4 +13,4 @@ kind: Kustomization images: - name: controller newName: ghcr.io/external-secrets/external-secrets-helm-operator - newTag: v0.10.0 + newTag: v0.10.1 diff --git a/config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml b/config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml index 06218a0..b06d275 100644 --- a/config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml @@ -6,7 +6,7 @@ metadata: capabilities: Deep Insights categories: Security certified: "false" - containerImage: ghcr.io/external-secrets/external-secrets-helm-operator:v0.10.0 + containerImage: ghcr.io/external-secrets/external-secrets-helm-operator:v0.10.1 createdAt: "2021-11-22 00:00:00" description: Operator to configure external-secrets helm-chart based operator operatorframework.io/cluster-monitoring: "true" diff --git a/config/manifests/crds/acraccesstoken.yml b/config/manifests/crds/acraccesstoken.yml index 5db751c..1139632 100644 --- a/config/manifests/crds/acraccesstoken.yml +++ b/config/manifests/crds/acraccesstoken.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 labels: external-secrets.io/component: controller name: acraccesstokens.generators.external-secrets.io @@ -30,7 +30,6 @@ spec: This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. - See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: @@ -164,12 +163,10 @@ spec: if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. - examples: repository:my-repository:pull,push repository:my-repository:pull - see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: diff --git a/config/manifests/crds/clusterexternalsecret.yml b/config/manifests/crds/clusterexternalsecret.yml index 98c2736..ffe84cb 100644 --- a/config/manifests/crds/clusterexternalsecret.yml +++ b/config/manifests/crds/clusterexternalsecret.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 labels: external-secrets.io/component: controller name: clusterexternalsecrets.external-secrets.io @@ -132,7 +132,6 @@ spec: description: |- GeneratorRef points to a generator custom resource. - Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1. properties: diff --git a/config/manifests/crds/clustersecretstore.yml b/config/manifests/crds/clustersecretstore.yml index bf2b93e..5da7833 100644 --- a/config/manifests/crds/clustersecretstore.yml +++ b/config/manifests/crds/clustersecretstore.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 labels: external-secrets.io/component: controller name: clustersecretstores.external-secrets.io @@ -2149,6 +2149,134 @@ spec: required: - vaultUrl type: object + beyondtrust: + description: Beyondtrust configures this store to sync secrets using Password Safe provider. + properties: + auth: + description: Auth configures how the operator authenticates with Beyondtrust. + properties: + certificate: + description: Content of the certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate. + properties: + secretRef: + description: SecretRef references a key in a secret that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set a value without using a secret. + type: string + type: object + certificateKey: + description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id + properties: + secretRef: + description: SecretRef references a key in a secret that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set a value without using a secret. + type: string + type: object + clientId: + properties: + secretRef: + description: SecretRef references a key in a secret that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set a value without using a secret. + type: string + type: object + clientSecret: + properties: + secretRef: + description: SecretRef references a key in a secret that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set a value without using a secret. + type: string + type: object + required: + - clientId + - clientSecret + type: object + server: + description: Auth configures how API server works. + properties: + apiUrl: + type: string + clientTimeOutSeconds: + description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds. + type: integer + retrievalType: + description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system. + type: string + separator: + description: A character that separates the folder names. + type: string + verifyCA: + type: boolean + required: + - apiUrl + - verifyCA + type: object + required: + - auth + - server + type: object bitwardensecretsmanager: description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider properties: @@ -2192,6 +2320,30 @@ spec: Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack can be performed. type: string + caProvider: + description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object identityURL: type: string organizationID: @@ -2202,7 +2354,6 @@ spec: type: string required: - auth - - caBundle - organizationID - projectID type: object diff --git a/config/manifests/crds/ecrauthorizationtoken.yml b/config/manifests/crds/ecrauthorizationtoken.yml index 2b3ef8b..8dbab44 100644 --- a/config/manifests/crds/ecrauthorizationtoken.yml +++ b/config/manifests/crds/ecrauthorizationtoken.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 labels: external-secrets.io/component: controller name: ecrauthorizationtokens.generators.external-secrets.io diff --git a/config/manifests/crds/externalsecret.yml b/config/manifests/crds/externalsecret.yml index 85ffb47..8848f63 100644 --- a/config/manifests/crds/externalsecret.yml +++ b/config/manifests/crds/externalsecret.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 labels: external-secrets.io/component: controller name: externalsecrets.external-secrets.io @@ -251,9 +251,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -390,7 +388,6 @@ spec: description: |- GeneratorRef points to a generator custom resource. - Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1. properties: @@ -762,9 +759,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic diff --git a/config/manifests/crds/fake.yml b/config/manifests/crds/fake.yml index b872f43..67e8432 100644 --- a/config/manifests/crds/fake.yml +++ b/config/manifests/crds/fake.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 labels: external-secrets.io/component: controller name: fakes.generators.external-secrets.io diff --git a/config/manifests/crds/gcraccesstoken.yml b/config/manifests/crds/gcraccesstoken.yml index f7a951c..4b76960 100644 --- a/config/manifests/crds/gcraccesstoken.yml +++ b/config/manifests/crds/gcraccesstoken.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 labels: external-secrets.io/component: controller name: gcraccesstokens.generators.external-secrets.io diff --git a/config/manifests/crds/githubaccesstoken.yml b/config/manifests/crds/githubaccesstoken.yml index ecbad5f..805f340 100644 --- a/config/manifests/crds/githubaccesstoken.yml +++ b/config/manifests/crds/githubaccesstoken.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 labels: external-secrets.io/component: controller name: githubaccesstokens.generators.external-secrets.io diff --git a/config/manifests/crds/password.yml b/config/manifests/crds/password.yml index 68bd8af..aa853c5 100644 --- a/config/manifests/crds/password.yml +++ b/config/manifests/crds/password.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 labels: external-secrets.io/component: controller name: passwords.generators.external-secrets.io diff --git a/config/manifests/crds/pushsecret.yml b/config/manifests/crds/pushsecret.yml index 75ba3c4..586995a 100644 --- a/config/manifests/crds/pushsecret.yml +++ b/config/manifests/crds/pushsecret.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 name: pushsecrets.external-secrets.io spec: group: external-secrets.io diff --git a/config/manifests/crds/secretstore.yml b/config/manifests/crds/secretstore.yml index 981b4a0..e1fcaa0 100644 --- a/config/manifests/crds/secretstore.yml +++ b/config/manifests/crds/secretstore.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 labels: external-secrets.io/component: controller name: secretstores.external-secrets.io @@ -2149,6 +2149,134 @@ spec: required: - vaultUrl type: object + beyondtrust: + description: Beyondtrust configures this store to sync secrets using Password Safe provider. + properties: + auth: + description: Auth configures how the operator authenticates with Beyondtrust. + properties: + certificate: + description: Content of the certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate. + properties: + secretRef: + description: SecretRef references a key in a secret that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set a value without using a secret. + type: string + type: object + certificateKey: + description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id + properties: + secretRef: + description: SecretRef references a key in a secret that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set a value without using a secret. + type: string + type: object + clientId: + properties: + secretRef: + description: SecretRef references a key in a secret that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set a value without using a secret. + type: string + type: object + clientSecret: + properties: + secretRef: + description: SecretRef references a key in a secret that will be used as value. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + value: + description: Value can be specified directly to set a value without using a secret. + type: string + type: object + required: + - clientId + - clientSecret + type: object + server: + description: Auth configures how API server works. + properties: + apiUrl: + type: string + clientTimeOutSeconds: + description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds. + type: integer + retrievalType: + description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system. + type: string + separator: + description: A character that separates the folder names. + type: string + verifyCA: + type: boolean + required: + - apiUrl + - verifyCA + type: object + required: + - auth + - server + type: object bitwardensecretsmanager: description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider properties: @@ -2192,6 +2320,30 @@ spec: Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack can be performed. type: string + caProvider: + description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider' + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object identityURL: type: string organizationID: @@ -2202,7 +2354,6 @@ spec: type: string required: - auth - - caBundle - organizationID - projectID type: object diff --git a/config/manifests/crds/vaultdynamicsecret.yml b/config/manifests/crds/vaultdynamicsecret.yml index 782d21c..03bf84b 100644 --- a/config/manifests/crds/vaultdynamicsecret.yml +++ b/config/manifests/crds/vaultdynamicsecret.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 labels: external-secrets.io/component: controller name: vaultdynamicsecrets.generators.external-secrets.io diff --git a/config/manifests/crds/webhook.yml b/config/manifests/crds/webhook.yml index 7aacce1..1639d46 100644 --- a/config/manifests/crds/webhook.yml +++ b/config/manifests/crds/webhook.yml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 labels: external-secrets.io/component: controller name: webhooks.generators.external-secrets.io