diff --git a/.gitignore b/.gitignore index d97ffc5..892fb5d 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,6 @@ bin *.swp *.swo *~ + +# Config directory +config/ diff --git a/Makefile b/Makefile index 788fa5e..3bac6b1 100644 --- a/Makefile +++ b/Makefile @@ -1,49 +1,9 @@ -# VERSION defines the project version for the bundle. -# Update this value when you upgrade the version of your project. -VERSION ?= $(shell git describe --tags --abbrev=0) - -# CHANNELS define the bundle channels used in the bundle. -# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") -# To re-generate a bundle for other specific channels without changing the standard setup, you can: -# - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable) -# - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable") -ifneq ($(origin CHANNELS), undefined) -BUNDLE_CHANNELS := --channels=$(CHANNELS) -endif - -# DEFAULT_CHANNEL defines the default channel used in the bundle. -# Add a new line here if you would like to change its default config. (E.g DEFAULT_CHANNEL = "stable") -# To re-generate a bundle for any other default channel without changing the default setup, you can: -# - use the DEFAULT_CHANNEL as arg of the bundle target (e.g make bundle DEFAULT_CHANNEL=stable) -# - use environment variables to overwrite this value (e.g export DEFAULT_CHANNEL="stable") -ifneq ($(origin DEFAULT_CHANNEL), undefined) -BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL) -endif -BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL) - -# IMAGE_TAG_BASE defines the docker.io namespace and part of the image name for remote images. -# This variable is used to construct full image tags for bundle and catalog images. -IMAGE_TAG_BASE ?= ricoberger/vault-secrets-operator - -# BUNDLE_IMG defines the image:tag used for the bundle. -# You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=/:) -BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION) - -# BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command -BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS) +# Set the Operator SDK version to use. By default, what is installed on the system is used. +# This is useful for CI or a project to utilize a specific version of the operator-sdk toolkit. +OPERATOR_SDK_VERSION ?= v1.30.0 -# USE_IMAGE_DIGESTS defines if images are resolved via tags or digests -# You can enable this value if you would like to use SHA Based Digests -# To enable set flag to true -USE_IMAGE_DIGESTS ?= false -ifeq ($(USE_IMAGE_DIGESTS), true) - BUNDLE_GEN_FLAGS += --use-image-digests -endif - -# Image URL to use all building/pushing image targets -IMG ?= ricoberger/vault-secrets-operator:main # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. -ENVTEST_K8S_VERSION = 1.24.1 +ENVTEST_K8S_VERSION = 1.26.0 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) @@ -53,7 +13,6 @@ GOBIN=$(shell go env GOBIN) endif # Setting SHELL to bash allows bash commands to be executed by recipes. -# This is a requirement for 'setup-envtest.sh' in the test target. # Options are set to exit when a recipe line exits non-zero or a piped command fails. SHELL = /usr/bin/env bash -o pipefail .SHELLFLAGS = -ec @@ -82,7 +41,7 @@ help: ## Display this help. .PHONY: manifests manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) rbac:roleName=vault-secrets-operator crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) rbac:roleName=vault-secrets-operator crd webhook paths="./..." output:crd:artifacts:config=charts/vault-secrets-operator/crds .PHONY: generate generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. @@ -98,49 +57,18 @@ vet: ## Run go vet against code. .PHONY: test test: manifests generate fmt vet envtest ## Run tests. - KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./... -coverprofile cover.out + KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out ##@ Build .PHONY: build -build: generate fmt vet ## Build manager binary. +build: manifests generate fmt vet ## Build manager binary. go build -o bin/manager main.go .PHONY: run run: manifests generate fmt vet ## Run a controller from your host. go run ./main.go -.PHONY: docker-build -docker-build: test ## Build docker image with the manager. - docker build -t ${IMG} . - -.PHONY: docker-push -docker-push: ## Push docker image with the manager. - docker push ${IMG} - -##@ Deployment - -ifndef ignore-not-found - ignore-not-found = false -endif - -.PHONY: install -install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. - $(KUSTOMIZE) build config/crd | kubectl apply -f - - -.PHONY: uninstall -uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. - $(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f - - -.PHONY: deploy -deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. - cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} - $(KUSTOMIZE) build config/default | kubectl apply -f - - -.PHONY: undeploy -undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. - $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - - ##@ Build Dependencies ## Location to install dependencies to @@ -149,82 +77,36 @@ $(LOCALBIN): mkdir -p $(LOCALBIN) ## Tool Binaries -KUSTOMIZE ?= $(LOCALBIN)/kustomize CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen ENVTEST ?= $(LOCALBIN)/setup-envtest ## Tool Versions -KUSTOMIZE_VERSION ?= v3.8.7 CONTROLLER_TOOLS_VERSION ?= v0.15.0 -KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" -.PHONY: kustomize -kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. -$(KUSTOMIZE): $(LOCALBIN) - curl -s $(KUSTOMIZE_INSTALL_SCRIPT) | bash -s -- $(subst v,,$(KUSTOMIZE_VERSION)) $(LOCALBIN) - .PHONY: controller-gen -controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. +controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. If wrong version is installed, it will be overwritten. $(CONTROLLER_GEN): $(LOCALBIN) + test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) .PHONY: envtest envtest: $(ENVTEST) ## Download envtest-setup locally if necessary. $(ENVTEST): $(LOCALBIN) - GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest - -.PHONY: bundle -bundle: manifests kustomize ## Generate bundle manifests and metadata, then validate generated files. - operator-sdk generate kustomize manifests -q - cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) - $(KUSTOMIZE) build config/manifests | operator-sdk generate bundle $(BUNDLE_GEN_FLAGS) - operator-sdk bundle validate ./bundle - -.PHONY: bundle-build -bundle-build: ## Build the bundle image. - docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . - -.PHONY: bundle-push -bundle-push: ## Push the bundle image. - $(MAKE) docker-push IMG=$(BUNDLE_IMG) - -.PHONY: opm -OPM = ./bin/opm -opm: ## Download opm locally if necessary. -ifeq (,$(wildcard $(OPM))) -ifeq (,$(shell which opm 2>/dev/null)) + test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest + +.PHONY: operator-sdk +OPERATOR_SDK ?= $(LOCALBIN)/operator-sdk +operator-sdk: ## Download operator-sdk locally if necessary. +ifeq (,$(wildcard $(OPERATOR_SDK))) +ifeq (, $(shell which operator-sdk 2>/dev/null)) @{ \ set -e ;\ - mkdir -p $(dir $(OPM)) ;\ + mkdir -p $(dir $(OPERATOR_SDK)) ;\ OS=$(shell go env GOOS) && ARCH=$(shell go env GOARCH) && \ - curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$${OS}-$${ARCH}-opm ;\ - chmod +x $(OPM) ;\ + curl -sSLo $(OPERATOR_SDK) https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk_$${OS}_$${ARCH} ;\ + chmod +x $(OPERATOR_SDK) ;\ } else -OPM = $(shell which opm) -endif +OPERATOR_SDK = $(shell which operator-sdk) endif - -# A comma-separated list of bundle images (e.g. make catalog-build BUNDLE_IMGS=example.com/operator-bundle:v0.1.0,example.com/operator-bundle:v0.2.0). -# These images MUST exist in a registry and be pull-able. -BUNDLE_IMGS ?= $(BUNDLE_IMG) - -# The image tag given to the resulting catalog image (e.g. make catalog-build CATALOG_IMG=example.com/operator-catalog:v0.2.0). -CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:v$(VERSION) - -# Set CATALOG_BASE_IMG to an existing catalog image tag to add $BUNDLE_IMGS to that image. -ifneq ($(origin CATALOG_BASE_IMG), undefined) -FROM_INDEX_OPT := --from-index $(CATALOG_BASE_IMG) endif - -# Build a catalog image by adding bundle images to an empty catalog using the operator package manager tool, 'opm'. -# This recipe invokes 'opm' in 'semver' bundle add mode. For more information on add modes, see: -# https://github.com/operator-framework/community-operators/blob/7f1438c/docs/packaging-operator.md#updating-your-existing-operator -.PHONY: catalog-build -catalog-build: opm ## Build a catalog image. - $(OPM) index add --container-tool docker --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT) - -# Push the catalog image. -.PHONY: catalog-push -catalog-push: ## Push a catalog image. - $(MAKE) docker-push IMG=$(CATALOG_IMG) diff --git a/README.md b/README.md index 96b807f..9838b02 100644 --- a/README.md +++ b/README.md @@ -711,19 +711,20 @@ After modifying the `*_types.go` file always run the following command to update make generate ``` -The above makefile target will invoke the [controller-gen](https://sigs.k8s.io/controller-tools) utility to update the `api/v1alpha1/zz_generated.deepcopy.go` file to ensure our API's Go type definitons implement the `runtime.Object` interface that all Kind types must implement. +The above Makefile target will invoke the [controller-gen](https://sigs.k8s.io/controller-tools) utility to update the +`api/v1alpha1/zz_generated.deepcopy.go` file to ensure our API's Go type definitons implement the `runtime.Object` +interface that all Kind types must implement. -Once the API is defined with spec/status fields and CRD validation markers, the CRD manifests can be generated and updated with the following command: +Once the API is defined with spec/status fields and CRD validation markers, the CRD manifests can be generated and +updated with the following command: ```sh make manifests ``` -This makefile target will invoke controller-gen to generate the CRD manifests at `config/crd/bases/ricoberger.de_vaultsecrets.yaml`. +This Makefile target will invoke controller-gen to generate the CRD manifest at `charts/vault-secrets-operator/crds/ricoberger.de_vaultsecrets.yaml`. -### Locally - -Specify the Vault address, a token to access Vault and the TTL (in seconds) for the token: +Deploy the CRD and run the operator locally with the default Kubernetes config file present at `$HOME/.kube/config`: ```sh export VAULT_ADDRESS= @@ -731,42 +732,10 @@ export VAULT_AUTH_METHOD=token export VAULT_TOKEN= export VAULT_TOKEN_LEASE_DURATION=86400 export VAULT_RECONCILIATION_TIME=180 -``` - -Deploy the CRD and run the operator locally with the default Kubernetes config file present at `$HOME/.kube/config`: - -```sh -make install run -``` - -### Minikube - -Reuse Minikube's built-in Docker daemon: - -```sh -eval $(minikube docker-env) -``` - -Build the Docker image for the operator: - -```sh -make docker-build IMG=ricoberger/vault-secrets-operator:dev -``` - -Run the following to deploy the operator. This will also install the RBAC manifests from `config/rbac`. -```sh -make deploy IMG=ricoberger/vault-secrets-operator:dev -``` - -Deploy the Helm chart: - -```sh -helm upgrade --install vault-secrets-operator ./charts/vault-secrets-operator --namespace=vault-secrets-operator --set vault.address="$VAULT_ADDRESS" --set image.repository="ricoberger/vault-secrets-operator" --set image.tag="dev" +make run ``` -For an example using [kind](https://kind.sigs.k8s.io) you can take a look at the `hack/setup-kind.sh` file. - ## Links * [Managing Secrets in Kubernetes](https://www.weave.works/blog/managing-secrets-in-kubernetes) diff --git a/charts/vault-secrets-operator/Chart.yaml b/charts/vault-secrets-operator/Chart.yaml index b0ff6f3..fac6f85 100644 --- a/charts/vault-secrets-operator/Chart.yaml +++ b/charts/vault-secrets-operator/Chart.yaml @@ -7,4 +7,4 @@ maintainers: - name: Rico Berger url: https://ricoberger.de name: vault-secrets-operator -version: 2.5.8 +version: 2.5.9 diff --git a/charts/vault-secrets-operator/crds/crd-vaultsecret.yaml b/charts/vault-secrets-operator/crds/crd-vaultsecret.yaml deleted file mode 100644 index 18432a2..0000000 --- a/charts/vault-secrets-operator/crds/crd-vaultsecret.yaml +++ /dev/null @@ -1,220 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - name: vaultsecrets.ricoberger.de -spec: - group: ricoberger.de - names: - kind: VaultSecret - listKind: VaultSecretList - plural: vaultsecrets - singular: vaultsecret - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Indicates if the secret was created/updated successfully - jsonPath: .status.conditions[?(@.type=="SecretCreated")].status - name: Succeeded - type: string - - description: Reason for the current status - jsonPath: .status.conditions[?(@.type=="SecretCreated")].reason - name: Reason - type: string - - description: Message with more information, regarding the current status - jsonPath: .status.conditions[?(@.type=="SecretCreated")].message - name: Message - type: string - - description: Time when the condition was updated the last time - jsonPath: .status.conditions[?(@.type=="SecretCreated")].lastTransitionTime - name: Last Transition - type: date - - description: Time when this VaultSecret was created - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: VaultSecret is the Schema for the vaultsecrets API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: VaultSecretSpec defines the desired state of VaultSecret - properties: - engineOptions: - additionalProperties: - type: string - description: EngineOptions specifies options for the engine. - type: object - isBinary: - description: |- - isBinary is a flag indicates if data stored in vault is - binary data. Since vault does not store binary data natively, - the binary data is stored as base64 encoded. However, same data get encoded - again when operator stored them as secret in k8s which caused the data to - get double encoded. This flag will skip the base64 encode which is needed - for string data to avoid the double encode problem. - type: boolean - keys: - description: |- - Keys is an array of Keys, which should be included in the Kubernetes - secret. If the Keys field is ommitted all keys from the Vault secret will - be included in the Kubernetes secret. - items: - type: string - type: array - path: - description: Path is the path of the corresponding secret in Vault. - type: string - reconcileStrategy: - description: |- - ReconcileStrategy defines the strategy for reconcilation. The default value is "Replace", which replaces any - existing data keys in a secret with the loaded keys from Vault. The second valid value is "Merge" wiche merges - the loaded keys from Vault with the existing keys in a secret. Duplicated keys will be replaced with the value - from Vault. Other values are not valid for this field. - type: string - role: - description: Role specifies the role to use with PKI engine - type: string - secretEngine: - description: |- - SecretEngine specifies the type of the Vault secret engine in which the - secret is stored. Currently the 'KV Secrets Engine - Version 1' and - 'KV Secrets Engine - Version 2' are supported. The value must be 'kv'. If - the value is omitted or an other values is used the Vault Secrets - Operator will try to use the KV secret engine. - type: string - templates: - additionalProperties: - type: string - description: |- - Templates, if not empty will be run through the the Go templating engine, with `.Secrets` being mapped - to the list of secrets received from Vault. When omitted set, all secrets will be added as key/val pairs - under Secret.data. - type: object - type: - description: |- - Type is the type of the Kubernetes secret, which will be created by the - Vault Secrets Operator. - type: string - vaultNamespace: - description: |- - VaultNamespace can be used to specify the Vault namespace for a secret. When this value is set, the - X-Vault-Namespace header will be set for the request. More information regarding namespaces can be found in the - Vault Enterprise documentation: https://www.vaultproject.io/docs/enterprise/namespaces - type: string - vaultRole: - description: |- - VaultRole can be used to specify the Vault role, which should be used to get the secret from Vault. If the - vaultRole property is set a new client with the specified Vault Role will be created and the shared client is - ignored. If the operator is configured using the token auth method this property has no effect. - type: string - version: - description: |- - Version sets the version of the secret which should be used. The version - is only used if the KVv2 secret engine is used. If the version is - omitted the Operator uses the latest version of the secret. If the version - omitted and the VAULT_RECONCILIATION_TIME environment variable is set, the - Kubernetes secret will be updated if the Vault secret changes. - type: integer - required: - - path - - type - type: object - status: - description: VaultSecretStatus defines the observed state of VaultSecret - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/crd/bases/ricoberger.de_vaultsecrets.yaml b/charts/vault-secrets-operator/crds/ricoberger.de_vaultsecrets.yaml similarity index 100% rename from config/crd/bases/ricoberger.de_vaultsecrets.yaml rename to charts/vault-secrets-operator/crds/ricoberger.de_vaultsecrets.yaml diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml deleted file mode 100644 index d8bff82..0000000 --- a/config/crd/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# This kustomization.yaml is not intended to be run by itself, -# since it depends on service name and namespace that are out of this kustomize package. -# It should be run by config/default -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- bases/ricoberger.de_vaultsecrets.yaml -# +kubebuilder:scaffold:crdkustomizeresource diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml deleted file mode 100644 index 5f2ca05..0000000 --- a/config/default/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -# Adds namespace to all resources. -namespace: vault-secrets-operator -resources: -- ../crd -- ../rbac -- ../manager diff --git a/config/manager/deploy.yaml b/config/manager/deploy.yaml deleted file mode 100644 index faa428a..0000000 --- a/config/manager/deploy.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vault-secrets-operator - namespace: vault-secrets-operator - labels: - app: vault-secrets-operator -spec: - selector: - matchLabels: - app: vault-secrets-operator - replicas: 1 - template: - metadata: - labels: - app: vault-secrets-operator - spec: - serviceAccountName: vault-secrets-operator - containers: - - command: - - /manager - args: - - -leader-elect - image: ricoberger/vault-secrets-operator:v1.24.2 - name: manager - env: - - name: WATCH_NAMESPACE - value: "" - - name: VAULT_ADDRESS - value: "http://vault.vault.svc.cluster.local:8200" - - name: VAULT_AUTH_METHOD - value: "token" - - name: VAULT_TOKEN - value: "" - - name: VAULT_TOKEN_LEASE_DURATION - value: "86400" - - name: VAULT_RECONCILIATION_TIME - value: "0" - ports: - - name: http-metrics - containerPort: 8080 - protocol: TCP - - name: http - containerPort: 8081 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: http - readinessProbe: - httpGet: - path: /readyz - port: http - resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml deleted file mode 100644 index 53ffde4..0000000 --- a/config/manager/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- namespace.yaml -- deploy.yaml -- service.yaml diff --git a/config/manager/namespace.yaml b/config/manager/namespace.yaml deleted file mode 100644 index b0477ef..0000000 --- a/config/manager/namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: vault-secrets-operator diff --git a/config/manager/service.yaml b/config/manager/service.yaml deleted file mode 100644 index f2e110b..0000000 --- a/config/manager/service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: vault-secrets-operator -spec: - type: ClusterIP - ports: - - port: 8080 - targetPort: http-metrics - protocol: TCP - name: http-metrics - - port: 8081 - targetPort: http - protocol: TCP - name: http - selector: - app: vault-secrets-operator diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml deleted file mode 100644 index 6da23f4..0000000 --- a/config/rbac/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- role.yaml -- role_binding.yaml -- service_account.yaml diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml deleted file mode 100644 index 7da06e1..0000000 --- a/config/rbac/role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vault-secrets-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: vault-secrets-operator -subjects: -- kind: ServiceAccount - name: vault-secrets-operator - namespace: vault-secrets-operator diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml deleted file mode 100644 index 7807e52..0000000 --- a/config/rbac/service_account.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault-secrets-operator - namespace: vault-secrets-operator diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml deleted file mode 100644 index ba35890..0000000 --- a/config/samples/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -## Append samples you want in your CSV to this file as resources ## -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ricoberger.de_v1alpha1_vaultsecret.yaml -# +kubebuilder:scaffold:manifestskustomizesamples diff --git a/config/samples/ricoberger.de_v1alpha1_vaultsecret.yaml b/config/samples/ricoberger.de_v1alpha1_vaultsecret.yaml deleted file mode 100644 index 5a21b66..0000000 --- a/config/samples/ricoberger.de_v1alpha1_vaultsecret.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: ricoberger.de/v1alpha1 -kind: VaultSecret -metadata: - name: vaultsecret-sample -spec: - keys: - - foo - path: kvv1/example-vaultsecret - type: Opaque diff --git a/kustomization.yaml b/kustomization.yaml deleted file mode 100644 index 8c0a562..0000000 --- a/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- config/default