externalsecrets

package

v0.0.0-...-a2a49da Latest Latest Go to latest Published: Apr 2, 2023 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/volvo-cars/lingon

Documentation ¶

Constants ¶

View Source

const (
	AppName = "external-secrets"

	Namespace = "external-secrets"
	Version   = "0.7.2"
)

Variables ¶

View Source

var CertControllerCR = &rbacv1.ClusterRole{
	TypeMeta: kubeutil.TypeClusterRoleV1,
	ObjectMeta: metav1.ObjectMeta{
		Labels: CertControllerLabels,
		Name:   certControllerName,
	},
	Rules: []rbacv1.PolicyRule{
		{
			APIGroups: []string{"apiextensions.k8s.io"},
			Resources: []string{"customresourcedefinitions"},
			Verbs:     []string{"get", "list", "watch", "update", "patch"},
		}, {
			APIGroups: []string{"admissionregistration.k8s.io"},
			Resources: []string{"validatingwebhookconfigurations"},
			Verbs:     []string{"get", "list", "watch", "update", "patch"},
		}, {
			APIGroups: []string{},
			Resources: []string{"endpoints"},
			Verbs:     []string{"list", "get", "watch"},
		}, {
			APIGroups: []string{},
			Resources: []string{"events"},
			Verbs:     []string{"create", "patch"},
		}, {
			APIGroups: []string{},
			Resources: []string{"secrets"},
			Verbs:     []string{"get", "list", "watch", "update", "patch"},
		},
	},
}

View Source

var CertControllerDeploy = &appsv1.Deployment{
	TypeMeta: kubeutil.TypeDeploymentV1,
	ObjectMeta: kubeutil.ObjectMeta(
		certControllerName,
		Namespace,
		CertControllerLabels,
		nil,
	),
	Spec: appsv1.DeploymentSpec{
		Replicas: P(int32(1)),
		Selector: &metav1.LabelSelector{
			MatchLabels: CertControllerMatchLabels,
		},
		Template: corev1.PodTemplateSpec{
			ObjectMeta: metav1.ObjectMeta{
				Labels: CertControllerMatchLabels,
			},
			Spec: corev1.PodSpec{
				AutomountServiceAccountToken: P(true),
				Containers: []corev1.Container{
					{
						Args: []string{
							"certcontroller",
							"--crd-requeue-interval=5m",

							F("--service-name=%s", webhookName),

							F("--service-namespace=%s", Namespace),

							F("--secret-name=%s", webhookName),

							F("--secret-namespace=%s", Namespace),
						},
						Image:           containerImage,
						ImagePullPolicy: corev1.PullIfNotPresent,
						Name:            "cert-controller",
						Ports:           []corev1.ContainerPort{metricsPort},
						ReadinessProbe: &corev1.Probe{
							InitialDelaySeconds: int32(20),
							PeriodSeconds:       int32(5),
							ProbeHandler: corev1.ProbeHandler{
								HTTPGet: &corev1.HTTPGetAction{
									Path: "/readyz",
									Port: intstr.IntOrString{IntVal: int32(8081)},
								},
							},
						},
					},
				},
				ServiceAccountName: "external-secrets-cert-controller",
			},
		},
	},
}

View Source

var CertControllerLabels = map[string]string{
	kubeutil.AppLabelName:      certControllerName,
	kubeutil.AppLabelInstance:  AppName,
	kubeutil.AppLabelVersion:   "v" + Version,
	kubeutil.AppLabelManagedBy: "lingon",
}

View Source

var CertControllerMatchLabels = map[string]string{
	kubeutil.AppLabelInstance: AppName,
	kubeutil.AppLabelName:     certControllerName,
}

View Source

var ControllerCr = &rbacv1.ClusterRole{
	TypeMeta: kubeutil.TypeClusterRoleV1,
	ObjectMeta: metav1.ObjectMeta{
		Labels: ESLabels,
		Name:   controllerName,
	},
	Rules: []rbacv1.PolicyRule{
		{
			APIGroups: []string{"external-secrets.io"},
			Resources: []string{
				"secretstores",
				"clustersecretstores",
				"externalsecrets",
				"clusterexternalsecrets",
				"pushsecrets",
			},
			Verbs: []string{"get", "list", "watch"},
		}, {
			APIGroups: []string{"external-secrets.io"},
			Resources: []string{
				"externalsecrets",
				"externalsecrets/status",
				"externalsecrets/finalizers",
				"secretstores",
				"secretstores/status",
				"secretstores/finalizers",
				"clustersecretstores",
				"clustersecretstores/status",
				"clustersecretstores/finalizers",
				"clusterexternalsecrets",
				"clusterexternalsecrets/status",
				"clusterexternalsecrets/finalizers",
				"pushsecrets",
				"pushsecrets/status",
				"pushsecrets/finalizers",
			},
			Verbs: []string{"update", "patch"},
		}, {
			APIGroups: []string{"generators.external-secrets.io"},
			Resources: []string{
				"fakes",
				"passwords",
				"acraccesstokens",
				"gcraccesstokens",
				"ecrauthorizationtokens",
			},
			Verbs: []string{"get", "list", "watch"},
		}, {
			APIGroups: []string{},
			Resources: []string{"serviceaccounts", "namespaces"},
			Verbs:     []string{"get", "list", "watch"},
		}, {
			APIGroups: []string{},
			Resources: []string{"configmaps"},
			Verbs:     []string{"get", "list", "watch"},
		}, {
			APIGroups: []string{},
			Resources: []string{"secrets"},
			Verbs: []string{
				"get",
				"list",
				"watch",
				"create",
				"update",
				"delete",
				"patch",
			},
		}, {
			APIGroups: []string{},
			Resources: []string{"serviceaccounts/token"},
			Verbs:     []string{"create"},
		}, {
			APIGroups: []string{},
			Resources: []string{"events"},
			Verbs:     []string{"create", "patch"},
		}, {
			APIGroups: []string{"external-secrets.io"},
			Resources: []string{"externalsecrets"},
			Verbs:     []string{"create", "update", "delete"},
		},
	},
}

View Source

var Deploy = &appsv1.Deployment{
	TypeMeta:   kubeutil.TypeDeploymentV1,
	ObjectMeta: kubeutil.ObjectMeta(AppName, Namespace, ESLabels, nil),
	Spec: appsv1.DeploymentSpec{
		Replicas: P(int32(1)),
		Selector: &metav1.LabelSelector{
			MatchLabels: ESMatchLabels,
		},
		Template: corev1.PodTemplateSpec{
			ObjectMeta: metav1.ObjectMeta{
				Labels: ESMatchLabels,
			},
			Spec: corev1.PodSpec{
				AutomountServiceAccountToken: P(true),
				Containers: []corev1.Container{
					{
						Args:            []string{"--concurrent=1"},
						Image:           containerImage,
						ImagePullPolicy: corev1.PullIfNotPresent,
						Name:            AppName,
						Ports:           []corev1.ContainerPort{metricsPort},
					},
				},
				ServiceAccountName: "external-secrets",
			},
		},
	},
}

View Source

var ESLabels = map[string]string{
	kubeutil.AppLabelInstance:  AppName,
	kubeutil.AppLabelName:      AppName,
	kubeutil.AppLabelManagedBy: "lingon",
	kubeutil.AppLabelVersion:   "v" + Version,
}

View Source

var ESMatchLabels = map[string]string{
	kubeutil.AppLabelInstance: AppName,
	kubeutil.AppLabelName:     AppName,
}

View Source

var EditCR = &rbacv1.ClusterRole{
	TypeMeta: kubeutil.TypeClusterRoleV1,
	ObjectMeta: metav1.ObjectMeta{
		Labels: kubeutil.MergeLabels(
			ESLabels, map[string]string{
				"rbac.authorization.k8s.io/aggregate-to-admin": "true",
				"rbac.authorization.k8s.io/aggregate-to-edit":  "true",
			},
		),
		Name: AppName + "-edit",
	},
	Rules: []rbacv1.PolicyRule{
		{
			APIGroups: []string{"external-secrets.io"},
			Resources: []string{
				"externalsecrets",
				"secretstores",
				"clustersecretstores",
				"pushsecrets",
			},
			Verbs: []string{
				"create",
				"delete",
				"deletecollection",
				"patch",
				"update",
			},
		},
	},
}

View Source

var F = fmt.Sprintf

View Source

var LeaderElectionRole = &rbacv1.Role{
	ObjectMeta: metav1.ObjectMeta{
		Labels:    ESLabels,
		Name:      "external-secrets-leaderelection",
		Namespace: "external-secrets",
	},
	Rules: []rbacv1.PolicyRule{
		{
			APIGroups:     []string{},
			ResourceNames: []string{"external-secrets-controller"},
			Resources:     []string{"configmaps"},
			Verbs:         []string{"get", "update", "patch"},
		}, {
			APIGroups: []string{},
			Resources: []string{"configmaps"},
			Verbs:     []string{"create"},
		}, {
			APIGroups: []string{"coordination.k8s.io"},
			Resources: []string{"leases"},
			Verbs:     []string{"get", "create", "update", "patch"},
		},
	},
	TypeMeta: metav1.TypeMeta{
		APIVersion: "rbac.authorization.k8s.io/v1",
		Kind:       "Role",
	},
}

View Source

var ViewCR = &rbacv1.ClusterRole{
	TypeMeta: kubeutil.TypeClusterRoleV1,
	ObjectMeta: metav1.ObjectMeta{
		Labels: kubeutil.MergeLabels(
			ESLabels, map[string]string{
				"rbac.authorization.k8s.io/aggregate-to-admin": "true",
				"rbac.authorization.k8s.io/aggregate-to-edit":  "true",
				"rbac.authorization.k8s.io/aggregate-to-view":  "true",
			},
		),
		Name: AppName + "-view",
	},
	Rules: []rbacv1.PolicyRule{
		{
			APIGroups: []string{"external-secrets.io"},
			Resources: []string{
				"externalsecrets",
				"secretstores",
				"clustersecretstores",
				"pushsecrets",
			},
			Verbs: []string{"get", "watch", "list"},
		},
	},
}

View Source

var WebhookDeploy = &appsv1.Deployment{
	TypeMeta:   kubeutil.TypeDeploymentV1,
	ObjectMeta: kubeutil.ObjectMeta(webhookName, Namespace, WebhookLabels, nil),
	Spec: appsv1.DeploymentSpec{
		Replicas: P(int32(1)),
		Selector: &metav1.LabelSelector{
			MatchLabels: WebhookMatchLabels,
		},
		Template: corev1.PodTemplateSpec{
			ObjectMeta: metav1.ObjectMeta{
				Labels: WebhookMatchLabels,
			},
			Spec: corev1.PodSpec{
				AutomountServiceAccountToken: P(true),
				Containers: []corev1.Container{
					{
						Args: []string{
							"webhook",

							F("--port=%d", webhookPort),

							F("--dns-name=%s.%s.svc", webhookName, Namespace),

							F("--cert-dir=%s", webhookSecretMountPath),
							"--check-interval=5m",

							F("--metrics-addr=:%d", portMetric),

							F("--healthz-addr=:%d", healthzPort),
						},
						Image:           containerImage,
						ImagePullPolicy: corev1.PullIfNotPresent,
						Name:            "webhook",
						Ports: []corev1.ContainerPort{
							metricsPort,
							{
								ContainerPort: int32(webhookPort),
								Name:          "webhook",
								Protocol:      corev1.ProtocolTCP,
							},
						},
						ReadinessProbe: &corev1.Probe{
							InitialDelaySeconds: int32(20),
							PeriodSeconds:       int32(5),
							ProbeHandler: corev1.ProbeHandler{
								HTTPGet: &corev1.HTTPGetAction{
									Path: "/readyz",
									Port: intstr.IntOrString{IntVal: int32(healthzPort)},
								},
							},
						},
						VolumeMounts: []corev1.VolumeMount{
							{
								MountPath: webhookSecretMountPath,
								Name:      "certs",
								ReadOnly:  true,
							},
						},
					},
				},
				ServiceAccountName: "external-secrets-webhook",
				Volumes: []corev1.Volume{
					{
						Name: "certs",

						VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: webhookName}},
					},
				},
			},
		},
	},
}

View Source

var WebhookLabels = map[string]string{
	kubeutil.AppLabelInstance:  AppName,
	kubeutil.AppLabelManagedBy: "lingon",
	kubeutil.AppLabelVersion:   "v" + Version,
	"app.kubernetes.io/name":   "external-secrets-webhook",
}

View Source

var WebhookMatchLabels = map[string]string{
	kubeutil.AppLabelInstance: AppName,
	kubeutil.AppLabelName:     webhookName,
}

View Source

var WebhookSVC = &corev1.Service{
	TypeMeta:   kubeutil.TypeServiceV1,
	ObjectMeta: kubeutil.ObjectMeta(webhookName, Namespace, WebhookLabels, nil),
	Spec: corev1.ServiceSpec{
		Ports: []corev1.ServicePort{
			{
				Name:       "webhook",
				Port:       int32(443),
				Protocol:   corev1.ProtocolTCP,
				TargetPort: intstr.IntOrString{IntVal: int32(10250)},
			},
		},
		Selector: WebhookMatchLabels,
		Type:     corev1.ServiceTypeClusterIP,
	},
}

Functions ¶

func P ¶

func P[T any](t T) *T

Types ¶

type CRD ¶

type CRD struct {
	CrdACRAccessTokensGenerators        *apiextv1.CustomResourceDefinition
	CrdClusterExternalSecrets           *apiextv1.CustomResourceDefinition
	CrdClusterSecretStores              *apiextv1.CustomResourceDefinition
	CrdECRAuthorizationTokensGenerators *apiextv1.CustomResourceDefinition
	CrdExternalSecrets                  *apiextv1.CustomResourceDefinition
	CrdFakesGenerators                  *apiextv1.CustomResourceDefinition
	CrdGCRAccessTokensGenerators        *apiextv1.CustomResourceDefinition
	CrdPasswordsGenerators              *apiextv1.CustomResourceDefinition
	CrdPushSecrets                      *apiextv1.CustomResourceDefinition
	CrdSecretStores                     *apiextv1.CustomResourceDefinition
}

type ExternalSecrets ¶

type ExternalSecrets struct {
	kube.App
	CRD

	NS *corev1.Namespace

	SecretsWebhook *corev1.Secret

	CertControllerDeploy *appsv1.Deployment
	CertControllerCR     *rbacv1.ClusterRole
	CertControllerCRB    *rbacv1.ClusterRoleBinding
	CertControllerSA     *corev1.ServiceAccount

	ControllerCR  *rbacv1.ClusterRole
	ControllerCRB *rbacv1.ClusterRoleBinding

	EditCR *rbacv1.ClusterRole
	ViewCR *rbacv1.ClusterRole

	SA     *corev1.ServiceAccount
	Deploy *appsv1.Deployment

	WebhookSA     *corev1.ServiceAccount
	WebhookDeploy *appsv1.Deployment
	WebhookSVC    *corev1.Service

	ExternalSecretValidateWH *arv1.ValidatingWebhookConfiguration
	SecretStoreValidateWH    *arv1.ValidatingWebhookConfiguration

	LeaderElectionRole *rbacv1.Role
	LeaderElectionRB   *rbacv1.RoleBinding
}

func New ¶

func New() *ExternalSecrets

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
crd
webhook

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL