diff --git a/golang-external-secrets/Chart.yaml b/golang-external-secrets/Chart.yaml index 9b2c3b6d9..54675dd33 100644 --- a/golang-external-secrets/Chart.yaml +++ b/golang-external-secrets/Chart.yaml @@ -6,6 +6,6 @@ name: golang-external-secrets version: 0.0.3 dependencies: - name: external-secrets - version: "0.9.5" + version: "0.9.8" repository: "https://charts.external-secrets.io" #"https://external-secrets.github.io/kubernetes-external-secrets" diff --git a/golang-external-secrets/charts/external-secrets-0.9.5.tgz b/golang-external-secrets/charts/external-secrets-0.9.5.tgz deleted file mode 100644 index f40bed88d..000000000 Binary files a/golang-external-secrets/charts/external-secrets-0.9.5.tgz and /dev/null differ diff --git a/golang-external-secrets/charts/external-secrets-0.9.8.tgz b/golang-external-secrets/charts/external-secrets-0.9.8.tgz new file mode 100644 index 000000000..7270f40c9 Binary files /dev/null and b/golang-external-secrets/charts/external-secrets-0.9.8.tgz differ diff --git a/golang-external-secrets/values.yaml b/golang-external-secrets/values.yaml index ea644c03c..31b4748a6 100644 --- a/golang-external-secrets/values.yaml +++ b/golang-external-secrets/values.yaml @@ -11,10 +11,10 @@ clusterGroup: external-secrets: image: - tag: v0.9.5-ubi + tag: v0.9.8-ubi webhook: image: - tag: v0.9.5-ubi + tag: v0.9.8-ubi certController: image: - tag: v0.9.5-ubi + tag: v0.9.8-ubi diff --git a/tests/golang-external-secrets-industrial-edge-factory.expected.yaml b/tests/golang-external-secrets-industrial-edge-factory.expected.yaml index d4a7f257e..38744c881 100644 --- a/tests/golang-external-secrets-industrial-edge-factory.expected.yaml +++ b/tests/golang-external-secrets-industrial-edge-factory.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,6 +1433,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -2308,11 +2373,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2828,6 +2954,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -3734,6 +3863,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3894,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +3933,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +3954,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4102,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4032,16 +4186,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4224,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4270,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4188,9 +4371,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4406,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4431,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4447,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4636,6 +4836,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -5439,7 +5642,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,6 +5688,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -6422,11 +6628,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6942,6 +7209,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -8124,10 +8394,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8461,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8570,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8610,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8654,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8675,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8695,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8731,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8770,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8791,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8815,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8830,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8848,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +8878,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +8893,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -8641,7 +8911,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -8657,10 +8927,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +8942,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +8960,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/golang-external-secrets-industrial-edge-hub.expected.yaml b/tests/golang-external-secrets-industrial-edge-hub.expected.yaml index a549223c9..8c6c5c0fb 100644 --- a/tests/golang-external-secrets-industrial-edge-hub.expected.yaml +++ b/tests/golang-external-secrets-industrial-edge-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,6 +1433,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -2308,11 +2373,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2828,6 +2954,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -3734,6 +3863,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3894,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +3933,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +3954,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4102,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4032,16 +4186,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4224,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4270,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4188,9 +4371,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4406,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4431,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4447,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4636,6 +4836,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -5439,7 +5642,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,6 +5688,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -6422,11 +6628,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6942,6 +7209,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -8124,10 +8394,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8461,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8570,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8610,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8654,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8675,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8695,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8731,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8770,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8791,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8815,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8830,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8848,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +8878,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +8893,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -8641,7 +8911,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -8657,10 +8927,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +8942,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +8960,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml index a549223c9..8c6c5c0fb 100644 --- a/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml +++ b/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,6 +1433,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -2308,11 +2373,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2828,6 +2954,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -3734,6 +3863,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3894,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +3933,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +3954,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4102,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4032,16 +4186,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4224,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4270,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4188,9 +4371,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4406,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4431,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4447,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4636,6 +4836,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -5439,7 +5642,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,6 +5688,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -6422,11 +6628,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6942,6 +7209,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -8124,10 +8394,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8461,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8570,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8610,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8654,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8675,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8695,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8731,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8770,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8791,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8815,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8830,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8848,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +8878,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +8893,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -8641,7 +8911,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -8657,10 +8927,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +8942,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +8960,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/golang-external-secrets-naked.expected.yaml b/tests/golang-external-secrets-naked.expected.yaml index fa8a268be..bd543b06a 100644 --- a/tests/golang-external-secrets-naked.expected.yaml +++ b/tests/golang-external-secrets-naked.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,6 +1433,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -2308,11 +2373,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2828,6 +2954,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -3734,6 +3863,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3894,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +3933,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +3954,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4102,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4032,16 +4186,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4224,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4270,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4188,9 +4371,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4406,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4431,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4447,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4636,6 +4836,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -5439,7 +5642,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,6 +5688,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -6422,11 +6628,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6942,6 +7209,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -8124,10 +8394,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8461,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8570,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8610,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8654,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8675,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8695,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8731,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8770,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8791,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8815,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8830,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8848,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +8878,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +8893,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -8641,7 +8911,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -8657,10 +8927,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +8942,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +8960,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - webhook diff --git a/tests/golang-external-secrets-normal.expected.yaml b/tests/golang-external-secrets-normal.expected.yaml index a549223c9..8c6c5c0fb 100644 --- a/tests/golang-external-secrets-normal.expected.yaml +++ b/tests/golang-external-secrets-normal.expected.yaml @@ -6,10 +6,10 @@ metadata: name: external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml @@ -19,10 +19,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -32,10 +32,10 @@ metadata: name: external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm --- # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml @@ -45,10 +45,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook --- @@ -278,16 +278,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -350,16 +362,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -376,10 +400,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -414,6 +446,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -506,9 +547,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -534,6 +582,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -556,6 +607,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -569,6 +623,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -608,12 +666,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + namespaces: + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + items: + type: string + type: array refreshTime: - description: The time in which the controller should reconcile it's objects and recheck namespaces for labels. + description: The time in which the controller should reconcile its objects and recheck namespaces for labels. type: string required: - externalSecretSpec - - namespaceSelector type: object status: description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret. @@ -1325,7 +1387,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -1371,6 +1433,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -2308,11 +2373,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -2828,6 +2954,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -3734,6 +3863,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3762,6 +3894,9 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string key: description: Key is the key used in the Provider, mandatory @@ -3798,6 +3933,10 @@ spec: creationPolicy: default: Owner description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + enum: + - Owner + - Merge + - None type: string immutable: description: Immutable defines if the final secret will be immutable @@ -3815,6 +3954,9 @@ spec: engineVersion: default: v1 description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -3960,16 +4102,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4032,16 +4186,28 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string key: description: Key is the key used in the Provider, mandatory type: string metadataPolicy: + default: None description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None + enum: + - None + - Fetch type: string property: description: Used to select a specific property of the Provider value (if a map), if supported @@ -4058,10 +4224,18 @@ spec: conversionStrategy: default: Default description: Used to define a conversion Strategy + enum: + - Default + - Unicode type: string decodingStrategy: default: None description: Used to define a decoding Strategy + enum: + - Auto + - Base64 + - Base64URL + - None type: string name: description: Finds secrets based on the name. @@ -4096,6 +4270,15 @@ spec: - source - target type: object + transform: + description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + properties: + template: + description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + type: string + required: + - template + type: object type: object type: array sourceRef: @@ -4188,9 +4371,16 @@ spec: type: object engineVersion: default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 type: string mergePolicy: default: Replace + enum: + - Replace + - Merge type: string metadata: description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. @@ -4216,6 +4406,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4238,6 +4431,9 @@ spec: type: string templateAs: default: Values + enum: + - Values + - KeysAndValues type: string required: - key @@ -4251,6 +4447,10 @@ spec: type: object target: default: Data + enum: + - Data + - Annotations + - Labels type: string type: object type: array @@ -4636,6 +4836,9 @@ spec: deletionPolicy: default: None description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".' + enum: + - Delete + - None type: string refreshInterval: description: The Interval to which External Secrets will try to push a secret definition @@ -5439,7 +5642,7 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -5485,6 +5688,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -6422,11 +6628,72 @@ spec: - apiKeyRef - userRef type: object - required: - - apikey + jwt: + properties: + account: + type: string + secretRef: + description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + type: object + serviceAccountRef: + description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + properties: + audiences: + description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + type: string + namespace: + description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + type: string + required: + - name + type: object + serviceID: + description: The conjur authn jwt webservice id + type: string + required: + - account + - serviceID + type: object type: object caBundle: type: string + caProvider: + description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + properties: + key: + description: The key where the CA certificate can be found in the Secret or ConfigMap. + type: string + name: + description: The name of the object located at the provider type. + type: string + namespace: + description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + type: string + type: + description: The type of provider to use such as "Secret", or "ConfigMap". + enum: + - Secret + - ConfigMap + type: string + required: + - name + - type + type: object url: type: string required: @@ -6942,6 +7209,9 @@ spec: - tenancy - user type: object + principalType: + description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + type: string region: description: Region is the region where vault is located. type: string @@ -8124,10 +8394,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8191,10 +8461,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8300,10 +8570,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-view labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -8340,10 +8610,10 @@ kind: ClusterRole metadata: name: golang-external-secrets-edit labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -8384,10 +8654,10 @@ metadata: name: golang-external-secrets-servicebindings labels: servicebinding.io/controller: "true" - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8405,10 +8675,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-cert-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8425,10 +8695,10 @@ kind: ClusterRoleBinding metadata: name: golang-external-secrets-controller labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8461,10 +8731,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm rules: - apiGroups: @@ -8500,10 +8770,10 @@ metadata: name: golang-external-secrets-leaderelection namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io @@ -8521,10 +8791,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm external-secrets.io/component: webhook spec: @@ -8545,10 +8815,10 @@ metadata: name: golang-external-secrets-cert-controller namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8560,10 +8830,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: external-secrets-cert-controller @@ -8578,7 +8848,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - certcontroller @@ -8608,10 +8878,10 @@ metadata: name: golang-external-secrets namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8623,10 +8893,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: serviceAccountName: golang-external-secrets @@ -8641,7 +8911,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - --concurrent=1 @@ -8657,10 +8927,10 @@ metadata: name: golang-external-secrets-webhook namespace: "default" labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -8672,10 +8942,10 @@ spec: template: metadata: labels: - helm.sh/chart: external-secrets-0.9.5 + helm.sh/chart: external-secrets-0.9.8 app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: golang-external-secrets - app.kubernetes.io/version: "v0.9.5" + app.kubernetes.io/version: "v0.9.8" app.kubernetes.io/managed-by: Helm spec: hostNetwork: false @@ -8690,7 +8960,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/external-secrets/external-secrets:v0.9.5-ubi" + image: "ghcr.io/external-secrets/external-secrets:v0.9.8-ubi" imagePullPolicy: IfNotPresent args: - webhook