Documentation ¶
Index ¶
Constants ¶
View Source
const ( AppName = "external-secrets" Namespace = "external-secrets" Version = "0.7.2" )
Variables ¶
View Source
var CertControllerCR = &rbacv1.ClusterRole{ TypeMeta: kubeutil.TypeClusterRoleV1, ObjectMeta: metav1.ObjectMeta{ Labels: CertControllerLabels, Name: certControllerName, }, Rules: []rbacv1.PolicyRule{ { APIGroups: []string{"apiextensions.k8s.io"}, Resources: []string{"customresourcedefinitions"}, Verbs: []string{"get", "list", "watch", "update", "patch"}, }, { APIGroups: []string{"admissionregistration.k8s.io"}, Resources: []string{"validatingwebhookconfigurations"}, Verbs: []string{"get", "list", "watch", "update", "patch"}, }, { APIGroups: []string{}, Resources: []string{"endpoints"}, Verbs: []string{"list", "get", "watch"}, }, { APIGroups: []string{}, Resources: []string{"events"}, Verbs: []string{"create", "patch"}, }, { APIGroups: []string{}, Resources: []string{"secrets"}, Verbs: []string{"get", "list", "watch", "update", "patch"}, }, }, }
View Source
var CertControllerDeploy = &appsv1.Deployment{ TypeMeta: kubeutil.TypeDeploymentV1, ObjectMeta: kubeutil.ObjectMeta( certControllerName, Namespace, CertControllerLabels, nil, ), Spec: appsv1.DeploymentSpec{ Replicas: P(int32(1)), Selector: &metav1.LabelSelector{ MatchLabels: CertControllerMatchLabels, }, Template: corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ Labels: CertControllerMatchLabels, }, Spec: corev1.PodSpec{ AutomountServiceAccountToken: P(true), Containers: []corev1.Container{ { Args: []string{ "certcontroller", "--crd-requeue-interval=5m", F("--service-name=%s", webhookName), F("--service-namespace=%s", Namespace), F("--secret-name=%s", webhookName), F("--secret-namespace=%s", Namespace), }, Image: containerImage, ImagePullPolicy: corev1.PullIfNotPresent, Name: "cert-controller", Ports: []corev1.ContainerPort{metricsPort}, ReadinessProbe: &corev1.Probe{ InitialDelaySeconds: int32(20), PeriodSeconds: int32(5), ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ Path: "/readyz", Port: intstr.IntOrString{IntVal: int32(8081)}, }, }, }, }, }, ServiceAccountName: "external-secrets-cert-controller", }, }, }, }
View Source
var CertControllerLabels = map[string]string{ kubeutil.AppLabelName: certControllerName, kubeutil.AppLabelInstance: AppName, kubeutil.AppLabelVersion: "v" + Version, kubeutil.AppLabelManagedBy: "lingon", }
View Source
var CertControllerMatchLabels = map[string]string{ kubeutil.AppLabelInstance: AppName, kubeutil.AppLabelName: certControllerName, }
View Source
var ControllerCr = &rbacv1.ClusterRole{ TypeMeta: kubeutil.TypeClusterRoleV1, ObjectMeta: metav1.ObjectMeta{ Labels: ESLabels, Name: controllerName, }, Rules: []rbacv1.PolicyRule{ { APIGroups: []string{"external-secrets.io"}, Resources: []string{ "secretstores", "clustersecretstores", "externalsecrets", "clusterexternalsecrets", "pushsecrets", }, Verbs: []string{"get", "list", "watch"}, }, { APIGroups: []string{"external-secrets.io"}, Resources: []string{ "externalsecrets", "externalsecrets/status", "externalsecrets/finalizers", "secretstores", "secretstores/status", "secretstores/finalizers", "clustersecretstores", "clustersecretstores/status", "clustersecretstores/finalizers", "clusterexternalsecrets", "clusterexternalsecrets/status", "clusterexternalsecrets/finalizers", "pushsecrets", "pushsecrets/status", "pushsecrets/finalizers", }, Verbs: []string{"update", "patch"}, }, { APIGroups: []string{"generators.external-secrets.io"}, Resources: []string{ "fakes", "passwords", "acraccesstokens", "gcraccesstokens", "ecrauthorizationtokens", }, Verbs: []string{"get", "list", "watch"}, }, { APIGroups: []string{}, Resources: []string{"serviceaccounts", "namespaces"}, Verbs: []string{"get", "list", "watch"}, }, { APIGroups: []string{}, Resources: []string{"configmaps"}, Verbs: []string{"get", "list", "watch"}, }, { APIGroups: []string{}, Resources: []string{"secrets"}, Verbs: []string{ "get", "list", "watch", "create", "update", "delete", "patch", }, }, { APIGroups: []string{}, Resources: []string{"serviceaccounts/token"}, Verbs: []string{"create"}, }, { APIGroups: []string{}, Resources: []string{"events"}, Verbs: []string{"create", "patch"}, }, { APIGroups: []string{"external-secrets.io"}, Resources: []string{"externalsecrets"}, Verbs: []string{"create", "update", "delete"}, }, }, }
View Source
var Deploy = &appsv1.Deployment{ TypeMeta: kubeutil.TypeDeploymentV1, ObjectMeta: kubeutil.ObjectMeta(AppName, Namespace, ESLabels, nil), Spec: appsv1.DeploymentSpec{ Replicas: P(int32(1)), Selector: &metav1.LabelSelector{ MatchLabels: ESMatchLabels, }, Template: corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ Labels: ESMatchLabels, }, Spec: corev1.PodSpec{ AutomountServiceAccountToken: P(true), Containers: []corev1.Container{ { Args: []string{"--concurrent=1"}, Image: containerImage, ImagePullPolicy: corev1.PullIfNotPresent, Name: AppName, Ports: []corev1.ContainerPort{metricsPort}, }, }, ServiceAccountName: "external-secrets", }, }, }, }
View Source
var ESLabels = map[string]string{ kubeutil.AppLabelInstance: AppName, kubeutil.AppLabelName: AppName, kubeutil.AppLabelManagedBy: "lingon", kubeutil.AppLabelVersion: "v" + Version, }
View Source
var ESMatchLabels = map[string]string{ kubeutil.AppLabelInstance: AppName, kubeutil.AppLabelName: AppName, }
View Source
var EditCR = &rbacv1.ClusterRole{ TypeMeta: kubeutil.TypeClusterRoleV1, ObjectMeta: metav1.ObjectMeta{ Labels: kubeutil.MergeLabels( ESLabels, map[string]string{ "rbac.authorization.k8s.io/aggregate-to-admin": "true", "rbac.authorization.k8s.io/aggregate-to-edit": "true", }, ), Name: AppName + "-edit", }, Rules: []rbacv1.PolicyRule{ { APIGroups: []string{"external-secrets.io"}, Resources: []string{ "externalsecrets", "secretstores", "clustersecretstores", "pushsecrets", }, Verbs: []string{ "create", "delete", "deletecollection", "patch", "update", }, }, }, }
View Source
var F = fmt.Sprintf
View Source
var LeaderElectionRole = &rbacv1.Role{ ObjectMeta: metav1.ObjectMeta{ Labels: ESLabels, Name: "external-secrets-leaderelection", Namespace: "external-secrets", }, Rules: []rbacv1.PolicyRule{ { APIGroups: []string{}, ResourceNames: []string{"external-secrets-controller"}, Resources: []string{"configmaps"}, Verbs: []string{"get", "update", "patch"}, }, { APIGroups: []string{}, Resources: []string{"configmaps"}, Verbs: []string{"create"}, }, { APIGroups: []string{"coordination.k8s.io"}, Resources: []string{"leases"}, Verbs: []string{"get", "create", "update", "patch"}, }, }, TypeMeta: metav1.TypeMeta{ APIVersion: "rbac.authorization.k8s.io/v1", Kind: "Role", }, }
View Source
var ViewCR = &rbacv1.ClusterRole{ TypeMeta: kubeutil.TypeClusterRoleV1, ObjectMeta: metav1.ObjectMeta{ Labels: kubeutil.MergeLabels( ESLabels, map[string]string{ "rbac.authorization.k8s.io/aggregate-to-admin": "true", "rbac.authorization.k8s.io/aggregate-to-edit": "true", "rbac.authorization.k8s.io/aggregate-to-view": "true", }, ), Name: AppName + "-view", }, Rules: []rbacv1.PolicyRule{ { APIGroups: []string{"external-secrets.io"}, Resources: []string{ "externalsecrets", "secretstores", "clustersecretstores", "pushsecrets", }, Verbs: []string{"get", "watch", "list"}, }, }, }
View Source
var WebhookDeploy = &appsv1.Deployment{ TypeMeta: kubeutil.TypeDeploymentV1, ObjectMeta: kubeutil.ObjectMeta(webhookName, Namespace, WebhookLabels, nil), Spec: appsv1.DeploymentSpec{ Replicas: P(int32(1)), Selector: &metav1.LabelSelector{ MatchLabels: WebhookMatchLabels, }, Template: corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ Labels: WebhookMatchLabels, }, Spec: corev1.PodSpec{ AutomountServiceAccountToken: P(true), Containers: []corev1.Container{ { Args: []string{ "webhook", F("--port=%d", webhookPort), F("--dns-name=%s.%s.svc", webhookName, Namespace), F("--cert-dir=%s", webhookSecretMountPath), "--check-interval=5m", F("--metrics-addr=:%d", portMetric), F("--healthz-addr=:%d", healthzPort), }, Image: containerImage, ImagePullPolicy: corev1.PullIfNotPresent, Name: "webhook", Ports: []corev1.ContainerPort{ metricsPort, { ContainerPort: int32(webhookPort), Name: "webhook", Protocol: corev1.ProtocolTCP, }, }, ReadinessProbe: &corev1.Probe{ InitialDelaySeconds: int32(20), PeriodSeconds: int32(5), ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ Path: "/readyz", Port: intstr.IntOrString{IntVal: int32(healthzPort)}, }, }, }, VolumeMounts: []corev1.VolumeMount{ { MountPath: webhookSecretMountPath, Name: "certs", ReadOnly: true, }, }, }, }, ServiceAccountName: "external-secrets-webhook", Volumes: []corev1.Volume{ { Name: "certs", VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: webhookName}}, }, }, }, }, }, }
View Source
var WebhookLabels = map[string]string{ kubeutil.AppLabelInstance: AppName, kubeutil.AppLabelManagedBy: "lingon", kubeutil.AppLabelVersion: "v" + Version, "app.kubernetes.io/name": "external-secrets-webhook", }
View Source
var WebhookMatchLabels = map[string]string{ kubeutil.AppLabelInstance: AppName, kubeutil.AppLabelName: webhookName, }
View Source
var WebhookSVC = &corev1.Service{ TypeMeta: kubeutil.TypeServiceV1, ObjectMeta: kubeutil.ObjectMeta(webhookName, Namespace, WebhookLabels, nil), Spec: corev1.ServiceSpec{ Ports: []corev1.ServicePort{ { Name: "webhook", Port: int32(443), Protocol: corev1.ProtocolTCP, TargetPort: intstr.IntOrString{IntVal: int32(10250)}, }, }, Selector: WebhookMatchLabels, Type: corev1.ServiceTypeClusterIP, }, }
Functions ¶
Types ¶
type CRD ¶
type CRD struct { CrdACRAccessTokensGenerators *apiextv1.CustomResourceDefinition CrdClusterExternalSecrets *apiextv1.CustomResourceDefinition CrdClusterSecretStores *apiextv1.CustomResourceDefinition CrdECRAuthorizationTokensGenerators *apiextv1.CustomResourceDefinition CrdExternalSecrets *apiextv1.CustomResourceDefinition CrdFakesGenerators *apiextv1.CustomResourceDefinition CrdGCRAccessTokensGenerators *apiextv1.CustomResourceDefinition CrdPasswordsGenerators *apiextv1.CustomResourceDefinition CrdPushSecrets *apiextv1.CustomResourceDefinition CrdSecretStores *apiextv1.CustomResourceDefinition }
type ExternalSecrets ¶
type ExternalSecrets struct { kube.App CRD NS *corev1.Namespace SecretsWebhook *corev1.Secret CertControllerDeploy *appsv1.Deployment CertControllerCR *rbacv1.ClusterRole CertControllerCRB *rbacv1.ClusterRoleBinding CertControllerSA *corev1.ServiceAccount ControllerCR *rbacv1.ClusterRole ControllerCRB *rbacv1.ClusterRoleBinding EditCR *rbacv1.ClusterRole ViewCR *rbacv1.ClusterRole SA *corev1.ServiceAccount Deploy *appsv1.Deployment WebhookSA *corev1.ServiceAccount WebhookDeploy *appsv1.Deployment WebhookSVC *corev1.Service ExternalSecretValidateWH *arv1.ValidatingWebhookConfiguration SecretStoreValidateWH *arv1.ValidatingWebhookConfiguration LeaderElectionRole *rbacv1.Role LeaderElectionRB *rbacv1.RoleBinding }
func New ¶
func New() *ExternalSecrets
Source Files ¶
Click to show internal directories.
Click to hide internal directories.