Merge pull request #17 from Workable/upgrade

Upgrade

.github/pull_request_template.md

@@ -0,0 +1,19 @@
+## Problem Statement
+
+What is the problem you're trying to solve?
+
+## Related Issue
+
+Fixes #...
+
+## Proposed Changes
+
+How do you like to solve the issue and why?
+
+## Checklist
+
+- [ ] I have read the [contribution guidelines](https://external-secrets.io/latest/contributing/process/#submitting-a-pull-request)
+- [ ] All commits are signed with `git commit --signoff`
+- [ ] My changes have reasonable test coverage
+- [ ] All tests pass with `make test`
+- [ ] I ensured my PR is ready for review with `make reviewable`

.github/workflows/ci.yml

@@ -185,7 +185,7 @@ jobs:
           build-platform: "linux/amd64,linux/arm64"
           tag-suffix: "-ubi"
         - dockerfile: "Dockerfile.ubi"
-          build-args: "CGO_ENABLED=1 GOEXPERIMENT=boringcrypto"
+          build-args: "CGO_ENABLED=0 GOEXPERIMENT=boringcrypto"
           build-arch: "amd64"
           build-platform: "linux/amd64"
           tag-suffix: "-ubi-boringssl"

.github/workflows/e2e-managed.yml

@@ -10,7 +10,7 @@ permissions:
 env:
   # Common versions
   GO_VERSION: '1.19'
-  GINKGO_VERSION: 'v2.1.6'
+  GINKGO_VERSION: 'v2.8.0'
   DOCKER_BUILDX_VERSION: 'v0.4.2'
 
   # Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run

.github/workflows/e2e.yml

@@ -14,7 +14,7 @@ name: e2e tests
 env:
   # Common versions
   GO_VERSION: '1.19'
-  GINKGO_VERSION: 'v2.1.6'
+  GINKGO_VERSION: 'v2.8.0'
   DOCKER_BUILDX_VERSION: 'v0.4.2'
   KIND_VERSION: 'v0.17.0'
   KIND_IMAGE: 'kindest/node:v1.26.0'
@@ -36,7 +36,11 @@ env:
   AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET}}
   TENANT_ID: ${{ secrets.TENANT_ID}}
   VAULT_URL: ${{ secrets.VAULT_URL}}
-
+  SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
+  SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
+  SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
+  SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
+  SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
 
 jobs:
 

.github/workflows/helm.yml

@@ -43,9 +43,25 @@ jobs:
           if [[ -n "$changed" ]]; then
             echo "::set-output name=changed::true"
           fi
+      - name: Install chart unittest
+        run: |
+          helm env
+          helm plugin install https://github.com/helm-unittest/helm-unittest
       - name: Run chart-testing (lint)
         run: ct lint --config=.github/ci/ct.yaml
 
+      - name: Create kind cluster
+        uses: helm/[email protected]
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        run: ct install --config=.github/ci/ct.yaml --charts deploy/charts/external-secrets
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run unitests
+        if: steps.list-changed.outputs.changed == 'true'
+        run: make helm.test
+
   release:
     runs-on: ubuntu-latest
     steps:

.github/workflows/rebuild-image.yml

@@ -46,9 +46,9 @@ jobs:
           build-args: "CGO_ENABLED=0"
           build-arch: "amd64 arm64"
           build-platform: "linux/amd64,linux/arm64"
-          tag-suffix: "-ubi-${{ needs.checkout.outputs.timestamp }}" #ubi
+          tag-suffix: "-ubi-${{ needs.checkout.outputs.timestamp }}" # ubi
         - dockerfile: "Dockerfile.ubi"
-          build-args: "CGO_ENABLED=1 GOEXPERIMENT=boringcrypto" # fips
+          build-args: "CGO_ENABLED=0 GOEXPERIMENT=boringcrypto" # fips
           build-arch: "amd64"
           build-platform: "linux/amd64"
           tag-suffix: "-ubi-boringssl-${{ needs.checkout.outputs.timestamp }}"

.github/workflows/stale.yml

@@ -13,5 +13,6 @@ jobs:
           stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
           stale-pr-message: 'This pr is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
           close-issue-message: 'This issue was closed because it has been stalled for 30 days with no activity.'
+          exempt-issue-labels: kind/feature
           days-before-stale: 90
           days-before-close: 30

Dockerfile.standalone

@@ -1,6 +1,6 @@
 # This version of Dockerfile is for building without external dependencies.
 # Build a multi-platform image e.g. `docker buildx build --push --platform linux/arm64,linux/amd64 --tag external-secrets:dev --file Dockerfile.standalone .`
-FROM golang:1.19.5-alpine AS builder
+FROM golang:1.20.2-alpine AS builder
 ARG TARGETOS
 ARG TARGETARCH
 ENV CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH}

Makefile

@@ -81,6 +81,12 @@ check-diff: reviewable ## Ensure branch is clean.
 	@test -z "$$(git status --porcelain)" || (echo "$$(git status --porcelain)" && $(FAIL))
 	@$(OK) branch is clean
 
+update-deps:
+	go get -u
+	cd e2e && go get -u
+	@go mod tidy
+	@cd e2e/ && go mod tidy
+
 # ====================================================================================
 # Golang
 
@@ -179,6 +185,22 @@ helm.generate:
 	./hack/helm.generate.sh $(BUNDLE_DIR) $(HELM_DIR)
 	@$(OK) Finished generating helm chart files
 
+helm.test: helm.generate
+	@helm unittest --file tests/*.yaml --file 'tests/**/*.yaml' deploy/charts/external-secrets/
+
+helm.test.update: helm.generate
+	@helm unittest -u --file tests/*.yaml --file 'tests/**/*.yaml' deploy/charts/external-secrets/
+
+helm.update.appversion:
+	@chartversion=$$(yq .version ./deploy/charts/external-secrets/Chart.yaml) ; \
+	chartappversion=$$(yq .appVersion ./deploy/charts/external-secrets/Chart.yaml) ; \
+	chartname=$$(yq .name ./deploy/charts/external-secrets/Chart.yaml) ; \
+	$(INFO) Update chartname and chartversion string in test snapshots.; \
+	sed -s -i "s/^\([[:space:]]\+helm\.sh\/chart:\).*/\1 $${chartname}-$${chartversion}/" ./deploy/charts/external-secrets/tests/__snapshot__/*.yaml.snap ; \
+	sed -s -i "s/^\([[:space:]]\+app\.kubernetes\.io\/version:\).*/\1 $${chartappversion}/" ./deploy/charts/external-secrets/tests/__snapshot__/*.yaml.snap ; \
+	sed -s -i "s/^\([[:space:]]\+image: ghcr\.io\/external-secrets\/external-secrets:\).*/\1$${chartappversion}/" ./deploy/charts/external-secrets/tests/__snapshot__/*.yaml.snap ; \
+	$(OK) "Version strings updated"
+
 # ====================================================================================
 # Documentation
 .PHONY: docs

apis/externalsecrets/v1alpha1/secretstore_akeyless_types.go

@@ -26,6 +26,16 @@ type AkeylessProvider struct {
 
 	// Auth configures how the operator authenticates with Akeyless.
 	Auth *AkeylessAuth `json:"authSecretRef"`
+
+	// PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
+	// if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
+	// are used to validate the TLS connection.
+	// +optional
+	CABundle []byte `json:"caBundle,omitempty"`
+
+	// The provider for the CA bundle to use to validate Akeyless Gateway certificate.
+	// +optional
+	CAProvider *CAProvider `json:"caProvider,omitempty"`
 }
 
 type AkeylessAuth struct {

apis/externalsecrets/v1beta1/provider.go

@@ -21,7 +21,7 @@ import (
 )
 
 const (
-	// Ready indicates that the client is confgured correctly
+	// Ready indicates that the client is configured correctly
 	// and can be used.
 	ValidationResultReady ValidationResult = iota
 

apis/externalsecrets/v1beta1/secretstore_akeyless_types.go

@@ -26,6 +26,16 @@ type AkeylessProvider struct {
 
 	// Auth configures how the operator authenticates with Akeyless.
 	Auth *AkeylessAuth `json:"authSecretRef"`
+
+	// PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
+	// if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
+	// are used to validate the TLS connection.
+	// +optional
+	CABundle []byte `json:"caBundle,omitempty"`
+
+	// The provider for the CA bundle to use to validate Akeyless Gateway certificate.
+	// +optional
+	CAProvider *CAProvider `json:"caProvider,omitempty"`
 }
 
 type AkeylessAuth struct {

apis/externalsecrets/v1beta1/secretstore_keepersecurity_types.go

@@ -0,0 +1,23 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+
+// KeeperSecurityProvider Configures a store to sync secrets using Keeper Security.
+type KeeperSecurityProvider struct {
+	Auth     smmeta.SecretKeySelector `json:"authRef"`
+	FolderID string                   `json:"folderID"`
+}

apis/externalsecrets/v1beta1/secretstore_scaleway_types.go

@@ -0,0 +1,47 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+
+type ScalewayProviderSecretRef struct {
+
+	// Value can be specified directly to set a value without using a secret.
+	// +optional
+	Value string `json:"value,omitempty"`
+
+	// SecretRef references a key in a secret that will be used as value.
+	// +optional
+	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}
+
+type ScalewayProvider struct {
+
+	// APIURL is the url of the api to use. Defaults to https://api.scaleway.com
+	// +optional
+	APIURL string `json:"apiUrl,omitempty"`
+
+	// Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone
+	Region string `json:"region"`
+
+	// ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings
+	ProjectID string `json:"projectId"`
+
+	// AccessKey is the non-secret part of the api key.
+	AccessKey *ScalewayProviderSecretRef `json:"accessKey"`
+
+	// SecretKey is the non-secret part of the api key.
+	SecretKey *ScalewayProviderSecretRef `json:"secretKey"`
+}

apis/externalsecrets/v1beta1/secretstore_types.go

@@ -121,9 +121,17 @@ type SecretStoreProvider struct {
 	// +optional
 	Senhasegura *SenhaseguraProvider `json:"senhasegura,omitempty"`
 
+	// Scaleway
+	// +optional
+	Scaleway *ScalewayProvider `json:"scaleway,omitempty"`
+
 	// Doppler configures this store to sync secrets using the Doppler provider
 	// +optional
 	Doppler *DopplerProvider `json:"doppler,omitempty"`
+
+	// KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
+	// +optional
+	KeeperSecurity *KeeperSecurityProvider `json:"keepersecurity,omitempty"`
 }
 
 type CAProviderType string