From b8d29793ecd22d9d813278626b74560ad7b6108b Mon Sep 17 00:00:00 2001 From: Daniel Hougaard Date: Fri, 24 Jan 2025 18:19:38 +0100 Subject: [PATCH] fix: rename `managedSecretReferneces` to `managedKubeSecretReferences` --- .../kubernetes/infisical-secret-crd.mdx | 30 +++---- helm-charts/secrets-operator/Chart.yaml | 4 +- .../templates/infisicalsecret-crd.yaml | 80 +++++++++--------- helm-charts/secrets-operator/values.yaml | 2 +- .../api/v1alpha1/infisicalsecret_types.go | 2 +- .../api/v1alpha1/zz_generated.deepcopy.go | 4 +- ...ecrets.infisical.com_infisicalsecrets.yaml | 82 +++++++++---------- .../infisicalsecret_controller.go | 22 ++--- .../infisicalsecret/infisicalsecret_helper.go | 4 +- 9 files changed, 115 insertions(+), 115 deletions(-) diff --git a/docs/integrations/platforms/kubernetes/infisical-secret-crd.mdx b/docs/integrations/platforms/kubernetes/infisical-secret-crd.mdx index b981a0211a..32385e66e9 100644 --- a/docs/integrations/platforms/kubernetes/infisical-secret-crd.mdx +++ b/docs/integrations/platforms/kubernetes/infisical-secret-crd.mdx @@ -26,7 +26,7 @@ spec: name: namespace: - managedSecretReferences: + managedKubeSecretReferences: - secretName: managed-secret secretNamespace: default creationPolicy: "Orphan" @@ -544,29 +544,29 @@ The Infisical operator will automatically create the Kubernetes secret in the sp The `managedSecretReference` field is deprecated and will be removed in a future release. -Replace it with `managedSecretReferences`, which now accepts an array of references to support multiple managed secrets in a single InfisicalSecret CRD. +Replace it with `managedKubeSecretReferences`, which now accepts an array of references to support multiple managed secrets in a single InfisicalSecret CRD. Example: ```yaml - managedSecretReferences: + managedKubeSecretReferences: - secretName: managed-secret secretNamespace: default creationPolicy: "Orphan" ``` - + - + The name of the managed Kubernetes secret to be created - + The namespace of the managed Kubernetes secret to be created. - + Override the default Opaque type for managed secrets with this field. Useful for creating kubernetes.io/dockerconfigjson secrets. - + Creation polices allow you to control whether or not owner references should be added to the managed Kubernetes secret that is generated by the Infisical operator. This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically. @@ -587,18 +587,18 @@ This is useful for tools such as ArgoCD, where every resource requires an owner Fetching secrets from Infisical as is via the operator may not be enough. This is where templating functionality may be helpful. Using Go templates, you can format, combine, and create new key-value pairs from secrets fetched from Infisical before storing them as Kubernetes Secrets. - + - + This property controls what secrets are included in your managed secret when using templates. When set to `true`, all secrets fetched from your Infisical project will be added into your managed Kubernetes secret resource. **Use this option when you would like to sync all secrets from Infisical to Kubernetes but want to template a subset of them.** -When set to `false`, only secrets defined in the `managedSecretReferences[].template.data` field of the template will be included in the managed secret. +When set to `false`, only secrets defined in the `managedKubeSecretReferences[].template.data` field of the template will be included in the managed secret. Use this option when you would like to sync **only** a subset of secrets from Infisical to Kubernetes. - + Define secret keys and their corresponding templates. Each data value uses a Golang template with access to all secrets retrieved from the specified scope. @@ -614,7 +614,7 @@ type TemplateSecret struct { #### Example template configuration: ```yaml -managedSecretReferences: +managedKubeSecretReferences: - secretName: managed-secret secretNamespace: default template: @@ -666,7 +666,7 @@ The example below assumes that the `BINARY_KEY_BASE64` secret is stored as a bas The resulting managed secret will contain the decoded value of `BINARY_KEY_BASE64`. ```yaml - managedSecretReferences: + managedKubeSecretReferences: secretName: managed-secret secretNamespace: default template: @@ -927,7 +927,7 @@ spec: .. authentication: ... - managedSecretReferences: + managedKubeSecretReferences: ... ``` diff --git a/helm-charts/secrets-operator/Chart.yaml b/helm-charts/secrets-operator/Chart.yaml index 92a6611658..d3ee2a0c12 100644 --- a/helm-charts/secrets-operator/Chart.yaml +++ b/helm-charts/secrets-operator/Chart.yaml @@ -13,9 +13,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: v0.8.5 +version: v0.8.6 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "v0.8.5" +appVersion: "v0.8.6" diff --git a/helm-charts/secrets-operator/templates/infisicalsecret-crd.yaml b/helm-charts/secrets-operator/templates/infisicalsecret-crd.yaml index e024758eed..9e4bd56ef1 100644 --- a/helm-charts/secrets-operator/templates/infisicalsecret-crd.yaml +++ b/helm-charts/secrets-operator/templates/infisicalsecret-crd.yaml @@ -261,46 +261,7 @@ spec: hostAPI: description: Infisical host to pull secrets from type: string - managedSecretReference: - properties: - creationPolicy: - default: Orphan - description: 'The Kubernetes Secret creation policy. Enum with values: - ''Owner'', ''Orphan''. Owner creates the secret and sets .metadata.ownerReferences - of the InfisicalSecret CRD that created it. Orphan will not set - the secret owner. This will result in the secret being orphaned - and not deleted when the resource is deleted.' - type: string - secretName: - description: The name of the Kubernetes Secret - type: string - secretNamespace: - description: The name space where the Kubernetes Secret is located - type: string - secretType: - default: Opaque - description: 'The Kubernetes Secret type (experimental feature). - More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types' - type: string - template: - description: The template to transform the secret data - properties: - data: - additionalProperties: - type: string - description: The template key values - type: object - includeAllSecrets: - description: This injects all retrieved secrets into the top - level of your template. Secrets defined in the template will - take precedence over the injected ones. - type: boolean - type: object - required: - - secretName - - secretNamespace - type: object - managedSecretReferences: + managedKubeSecretReferences: items: properties: creationPolicy: @@ -342,6 +303,45 @@ spec: - secretNamespace type: object type: array + managedSecretReference: + properties: + creationPolicy: + default: Orphan + description: 'The Kubernetes Secret creation policy. Enum with values: + ''Owner'', ''Orphan''. Owner creates the secret and sets .metadata.ownerReferences + of the InfisicalSecret CRD that created it. Orphan will not set + the secret owner. This will result in the secret being orphaned + and not deleted when the resource is deleted.' + type: string + secretName: + description: The name of the Kubernetes Secret + type: string + secretNamespace: + description: The name space where the Kubernetes Secret is located + type: string + secretType: + default: Opaque + description: 'The Kubernetes Secret type (experimental feature). + More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types' + type: string + template: + description: The template to transform the secret data + properties: + data: + additionalProperties: + type: string + description: The template key values + type: object + includeAllSecrets: + description: This injects all retrieved secrets into the top + level of your template. Secrets defined in the template will + take precedence over the injected ones. + type: boolean + type: object + required: + - secretName + - secretNamespace + type: object resyncInterval: default: 60 type: integer diff --git a/helm-charts/secrets-operator/values.yaml b/helm-charts/secrets-operator/values.yaml index 04ec63540b..9ceddeb3ee 100644 --- a/helm-charts/secrets-operator/values.yaml +++ b/helm-charts/secrets-operator/values.yaml @@ -32,7 +32,7 @@ controllerManager: - ALL image: repository: infisical/kubernetes-operator - tag: v0.8.5 + tag: v0.8.6 resources: limits: cpu: 500m diff --git a/k8-operator/api/v1alpha1/infisicalsecret_types.go b/k8-operator/api/v1alpha1/infisicalsecret_types.go index 0385865f58..c8f8050744 100644 --- a/k8-operator/api/v1alpha1/infisicalsecret_types.go +++ b/k8-operator/api/v1alpha1/infisicalsecret_types.go @@ -138,7 +138,7 @@ type InfisicalSecretSpec struct { ManagedSecretReference ManagedKubeSecretConfig `json:"managedSecretReference"` // +kubebuilder:validation:Optional - ManagedSecretReferences []ManagedKubeSecretConfig `json:"managedSecretReferences"` + ManagedKubeSecretReferences []ManagedKubeSecretConfig `json:"managedKubeSecretReferences"` // +kubebuilder:default:=60 ResyncInterval int `json:"resyncInterval"` diff --git a/k8-operator/api/v1alpha1/zz_generated.deepcopy.go b/k8-operator/api/v1alpha1/zz_generated.deepcopy.go index 394f6dfc26..388ad84971 100644 --- a/k8-operator/api/v1alpha1/zz_generated.deepcopy.go +++ b/k8-operator/api/v1alpha1/zz_generated.deepcopy.go @@ -565,8 +565,8 @@ func (in *InfisicalSecretSpec) DeepCopyInto(out *InfisicalSecretSpec) { out.TokenSecretReference = in.TokenSecretReference out.Authentication = in.Authentication in.ManagedSecretReference.DeepCopyInto(&out.ManagedSecretReference) - if in.ManagedSecretReferences != nil { - in, out := &in.ManagedSecretReferences, &out.ManagedSecretReferences + if in.ManagedKubeSecretReferences != nil { + in, out := &in.ManagedKubeSecretReferences, &out.ManagedKubeSecretReferences *out = make([]ManagedKubeSecretConfig, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) diff --git a/k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml b/k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml index a2918103c4..27ae55ba0e 100644 --- a/k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml +++ b/k8-operator/config/crd/bases/secrets.infisical.com_infisicalsecrets.yaml @@ -261,47 +261,7 @@ spec: hostAPI: description: Infisical host to pull secrets from type: string - managedSecretReference: - properties: - creationPolicy: - default: Orphan - description: 'The Kubernetes Secret creation policy. Enum with - values: ''Owner'', ''Orphan''. Owner creates the secret and - sets .metadata.ownerReferences of the InfisicalSecret CRD that - created it. Orphan will not set the secret owner. This will - result in the secret being orphaned and not deleted when the - resource is deleted.' - type: string - secretName: - description: The name of the Kubernetes Secret - type: string - secretNamespace: - description: The name space where the Kubernetes Secret is located - type: string - secretType: - default: Opaque - description: 'The Kubernetes Secret type (experimental feature). - More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types' - type: string - template: - description: The template to transform the secret data - properties: - data: - additionalProperties: - type: string - description: The template key values - type: object - includeAllSecrets: - description: This injects all retrieved secrets into the top - level of your template. Secrets defined in the template - will take precedence over the injected ones. - type: boolean - type: object - required: - - secretName - - secretNamespace - type: object - managedSecretReferences: + managedKubeSecretReferences: items: properties: creationPolicy: @@ -343,6 +303,46 @@ spec: - secretNamespace type: object type: array + managedSecretReference: + properties: + creationPolicy: + default: Orphan + description: 'The Kubernetes Secret creation policy. Enum with + values: ''Owner'', ''Orphan''. Owner creates the secret and + sets .metadata.ownerReferences of the InfisicalSecret CRD that + created it. Orphan will not set the secret owner. This will + result in the secret being orphaned and not deleted when the + resource is deleted.' + type: string + secretName: + description: The name of the Kubernetes Secret + type: string + secretNamespace: + description: The name space where the Kubernetes Secret is located + type: string + secretType: + default: Opaque + description: 'The Kubernetes Secret type (experimental feature). + More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types' + type: string + template: + description: The template to transform the secret data + properties: + data: + additionalProperties: + type: string + description: The template key values + type: object + includeAllSecrets: + description: This injects all retrieved secrets into the top + level of your template. Secrets defined in the template + will take precedence over the injected ones. + type: boolean + type: object + required: + - secretName + - secretNamespace + type: object resyncInterval: default: 60 type: integer diff --git a/k8-operator/controllers/infisicalsecret/infisicalsecret_controller.go b/k8-operator/controllers/infisicalsecret/infisicalsecret_controller.go index 5c0b146005..ad277ff40c 100644 --- a/k8-operator/controllers/infisicalsecret/infisicalsecret_controller.go +++ b/k8-operator/controllers/infisicalsecret/infisicalsecret_controller.go @@ -72,25 +72,25 @@ func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Requ } // It's important we don't directly modify the CRD object, so we create a copy of it and move existing data into it. - managedSecretReferences := infisicalSecretCRD.Spec.ManagedSecretReferences + managedKubeSecretReferences := infisicalSecretCRD.Spec.ManagedKubeSecretReferences - if infisicalSecretCRD.Spec.ManagedSecretReference.SecretName != "" && managedSecretReferences != nil && len(managedSecretReferences) > 0 { - errMessage := "InfisicalSecret CRD cannot have both managedSecretReference and managedSecretReferences" + if infisicalSecretCRD.Spec.ManagedSecretReference.SecretName != "" && managedKubeSecretReferences != nil && len(managedKubeSecretReferences) > 0 { + errMessage := "InfisicalSecret CRD cannot have both managedSecretReference and managedKubeSecretReferences" logger.Error(defaultErrors.New(errMessage), errMessage) return ctrl.Result{}, defaultErrors.New(errMessage) } if infisicalSecretCRD.Spec.ManagedSecretReference.SecretName != "" { - logger.Info("\n\n\nThe field `managedSecretReference` will be deprecated in the near future, please use `managedSecretReferences` instead.\n\nRefer to the documentation for more information: https://infisical.com/docs/integrations/platforms/kubernetes/infisical-secret-crd\n\n\n") + logger.Info("\n\n\nThe field `managedSecretReference` will be deprecated in the near future, please use `managedKubeSecretReferences` instead.\n\nRefer to the documentation for more information: https://infisical.com/docs/integrations/platforms/kubernetes/infisical-secret-crd\n\n\n") - if managedSecretReferences == nil { - managedSecretReferences = []secretsv1alpha1.ManagedKubeSecretConfig{} + if managedKubeSecretReferences == nil { + managedKubeSecretReferences = []secretsv1alpha1.ManagedKubeSecretConfig{} } - managedSecretReferences = append(managedSecretReferences, infisicalSecretCRD.Spec.ManagedSecretReference) + managedKubeSecretReferences = append(managedKubeSecretReferences, infisicalSecretCRD.Spec.ManagedSecretReference) } - if len(managedSecretReferences) == 0 { - errMessage := "InfisicalSecret CRD must have at least one managed secret reference set in the `managedSecretReferences` field" + if len(managedKubeSecretReferences) == 0 { + errMessage := "InfisicalSecret CRD must have at least one managed secret reference set in the `managedKubeSecretReferences` field" logger.Error(defaultErrors.New(errMessage), errMessage) return ctrl.Result{}, defaultErrors.New(errMessage) } @@ -151,7 +151,7 @@ func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Requ api.API_CA_CERTIFICATE = "" } - err = r.ReconcileInfisicalSecret(ctx, logger, infisicalSecretCRD, managedSecretReferences) + err = r.ReconcileInfisicalSecret(ctx, logger, infisicalSecretCRD, managedKubeSecretReferences) r.SetReadyToSyncSecretsConditions(ctx, &infisicalSecretCRD, err) if err != nil { @@ -162,7 +162,7 @@ func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Requ }, nil } - numDeployments, err := controllerhelpers.ReconcileDeploymentsWithMultipleManagedSecrets(ctx, r.Client, logger, managedSecretReferences) + numDeployments, err := controllerhelpers.ReconcileDeploymentsWithMultipleManagedSecrets(ctx, r.Client, logger, managedKubeSecretReferences) r.SetInfisicalAutoRedeploymentReady(ctx, logger, &infisicalSecretCRD, numDeployments, err) if err != nil { logger.Error(err, fmt.Sprintf("unable to reconcile auto redeployment. Will requeue after [requeueTime=%v]", requeueTime)) diff --git a/k8-operator/controllers/infisicalsecret/infisicalsecret_helper.go b/k8-operator/controllers/infisicalsecret/infisicalsecret_helper.go index f58edfa58f..44789836e9 100644 --- a/k8-operator/controllers/infisicalsecret/infisicalsecret_helper.go +++ b/k8-operator/controllers/infisicalsecret/infisicalsecret_helper.go @@ -337,7 +337,7 @@ func (r *InfisicalSecretReconciler) updateResourceVariables(infisicalSecret v1al infisicalSecretResourceVariablesMap[string(infisicalSecret.UID)] = resourceVariables } -func (r *InfisicalSecretReconciler) ReconcileInfisicalSecret(ctx context.Context, logger logr.Logger, infisicalSecret v1alpha1.InfisicalSecret, managedSecretReferences []v1alpha1.ManagedKubeSecretConfig) error { +func (r *InfisicalSecretReconciler) ReconcileInfisicalSecret(ctx context.Context, logger logr.Logger, infisicalSecret v1alpha1.InfisicalSecret, managedKubeSecretReferences []v1alpha1.ManagedKubeSecretConfig) error { resourceVariables := r.getResourceVariables(infisicalSecret) infisicalClient := resourceVariables.InfisicalClient @@ -361,7 +361,7 @@ func (r *InfisicalSecretReconciler) ReconcileInfisicalSecret(ctx context.Context }) } - for _, managedSecretReference := range managedSecretReferences { + for _, managedSecretReference := range managedKubeSecretReferences { // Look for managed secret by name and namespace managedKubeSecret, err := util.GetKubeSecretByNamespacedName(ctx, r.Client, types.NamespacedName{ Name: managedSecretReference.SecretName,