diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index fbe5d19498..313b094f92 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -32,7 +32,7 @@ dependencies: version: 1.21.1 repository: https://kubernetes-sigs.github.io/external-dns - name: external-secrets - version: 2.4.1 + version: 2.5.0 repository: https://charts.external-secrets.io - name: gitea version: 12.5.3 diff --git a/charts/external-secrets/Chart.yaml b/charts/external-secrets/Chart.yaml index 5ff169c3cd..71072e27e4 100644 --- a/charts/external-secrets/Chart.yaml +++ b/charts/external-secrets/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: v2.4.1 +appVersion: v2.5.0 dependencies: - condition: bitwarden-sdk-server.enabled name: bitwarden-sdk-server @@ -17,4 +17,4 @@ maintainers: name: mcavoyk name: external-secrets type: application -version: 2.4.1 +version: 2.5.0 diff --git a/charts/external-secrets/README.md b/charts/external-secrets/README.md index 9365773b4d..28353ff2a9 100644 --- a/charts/external-secrets/README.md +++ b/charts/external-secrets/README.md @@ -4,7 +4,7 @@ [//]: # (README.md generated by gotmpl. DO NOT EDIT.) -![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.4.1](https://img.shields.io/badge/Version-2.4.1-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.5.0](https://img.shields.io/badge/Version-2.5.0-informational?style=flat-square) External secrets management for Kubernetes @@ -61,7 +61,12 @@ The command removes all the Kubernetes components associated with the chart and | certController.livenessProbe.successThreshold | int | `1` | | | certController.livenessProbe.timeoutSeconds | int | `5` | | | certController.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifies Log Params to the Certificate Controller | +| certController.metrics.listen.auth.enabled | bool | `false` | Enable Kubernetes RBAC-based authentication for certController's metrics endpoint. Requires certController.metrics.listen.secure to be true. Default value is false. | | certController.metrics.listen.port | int | `8080` | | +| certController.metrics.listen.secure.certDir | string | `"/etc/tls"` | TLS cert directory path | +| certController.metrics.listen.secure.certFile | string | `"/etc/tls/tls.crt"` | TLS cert file path | +| certController.metrics.listen.secure.enabled | bool | `false` | | +| certController.metrics.listen.secure.keyFile | string | `"/etc/tls/tls.key"` | TLS key file path | | certController.metrics.service.annotations | object | `{}` | Additional service annotations | | certController.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics | | certController.metrics.service.port | int | `8080` | Metrics service port to scrape | @@ -170,6 +175,7 @@ The command removes all the Kubernetes components associated with the chart and | livenessProbe.spec.successThreshold | int | `1` | Number of successful probes to mark probe successful. | | livenessProbe.spec.timeoutSeconds | int | `5` | Specify the maximum amount of time to wait for a probe to respond before considering it fails. | | log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifies Log Params to the External Secrets Operator | +| metrics.listen.auth.enabled | bool | `false` | Enable Kubernetes RBAC-based authentication for metrics endpoint. Requires metrics.listen.secure to be true. Default value is false. | | metrics.listen.port | int | `8080` | | | metrics.listen.secure.certDir | string | `"/etc/tls"` | TLS cert directory path | | metrics.listen.secure.certFile | string | `"/etc/tls/tls.crt"` | TLS cert file path | @@ -197,6 +203,7 @@ The command removes all the Kubernetes components associated with the chart and | rbac.aggregateToEdit | bool | `true` | Specifies whether permissions are aggregated to the edit ClusterRole | | rbac.aggregateToView | bool | `true` | Specifies whether permissions are aggregated to the view ClusterRole | | rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. | +| rbac.serviceAccountTokenCreate | bool | `true` | Specifies whether the serviceaccounts/token create permission is included in the controller RBAC. When set to false, users must create per-ServiceAccount Role/RoleBinding with resourceNames constraint to grant ESO token creation for specific ServiceAccounts referenced in SecretStore specs. | | rbac.servicebindings.create | bool | `true` | Specifies whether a clusterrole to give servicebindings read access should be created. | | readinessProbe.enabled | bool | `false` | Determines whether the readiness probe is enabled. Disabled by default. Enabling this will auto-start the health server (--live-addr) even if livenessProbe is disabled. Health server address/port are configured via livenessProbe.spec.address and livenessProbe.spec.port. | | readinessProbe.spec | object | `{"failureThreshold":3,"httpGet":{"path":"/readyz","port":"live"},"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | The body of the readiness probe settings (standard Kubernetes probe spec). | @@ -212,7 +219,7 @@ The command removes all the Kubernetes components associated with the chart and | resources | object | `{}` | | | revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) | | scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace | -| scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets | +| scopedRBAC | bool | `false` | If true, create scoped RBAC roles and implicitly disable cluster-scoped controllers. Scoped to scopedNamespace if set, otherwise to .Release.Namespace. | | securityContext.allowPrivilegeEscalation | bool | `false` | | | securityContext.capabilities.drop[0] | string | `"ALL"` | | | securityContext.enabled | bool | `true` | | @@ -282,7 +289,12 @@ The command removes all the Kubernetes components associated with the chart and | webhook.livenessProbe.timeoutSeconds | int | `5` | | | webhook.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifies Log Params to the Webhook | | webhook.lookaheadInterval | string | `""` | Specifies the lookaheadInterval for certificate validity | +| webhook.metrics.listen.auth.enabled | bool | `false` | Enable Kubernetes RBAC-based authentication for webhook's metrics endpoint. Requires webhook.metrics.listen.secure to be true. Default value is false. | | webhook.metrics.listen.port | int | `8080` | | +| webhook.metrics.listen.secure.certDir | string | `"/etc/tls"` | TLS cert directory path | +| webhook.metrics.listen.secure.certFile | string | `"/etc/tls/tls.crt"` | TLS cert file path | +| webhook.metrics.listen.secure.enabled | bool | `false` | | +| webhook.metrics.listen.secure.keyFile | string | `"/etc/tls/tls.key"` | TLS key file path | | webhook.metrics.service.annotations | object | `{}` | Additional service annotations | | webhook.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics | | webhook.metrics.service.port | int | `8080` | Metrics service port to scrape | diff --git a/charts/external-secrets/crds/clustersecretstore.yaml b/charts/external-secrets/crds/clustersecretstore.yaml index 8e6967c9aa..b9966a954f 100644 --- a/charts/external-secrets/crds/clustersecretstore.yaml +++ b/charts/external-secrets/crds/clustersecretstore.yaml @@ -488,6 +488,16 @@ spec: type: object type: object type: object + customSessionTags: + additionalProperties: + type: string + description: |- + CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom. + These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags. + type: object + x-kubernetes-validations: + - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind' + rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)' externalID: description: AWS External ID set on assumed IAM roles type: string @@ -543,6 +553,19 @@ spec: - value type: object type: array + sessionTagsPolicy: + default: None + description: |- + SessionTagsPolicy controls whether and how STS session tags are added when assuming roles. + None (default): no tags are added. + Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags. + Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags. + Note: the IAM role must have sts:TagSession permission when using Simple or Custom. + enum: + - None + - Simple + - Custom + type: string transitiveTagKeys: description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: @@ -1997,6 +2020,18 @@ spec: credential_source.url in the provided credConfig. This field is merely to double-check the external token source URL is having the expected value. type: string + gcpServiceAccountEmail: + description: |- + GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate + after Workload Identity Federation. Use this to grant access through the service account's + IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides + service_account_impersonation_url in the external account JSON from credConfig; + when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation + on that ServiceAccount. + example: my-gsa@my-project.iam.gserviceaccount.com + minLength: 1 + pattern: ^.*@.*\.iam\.gserviceaccount\.com$ + type: string serviceAccountRef: description: |- serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, @@ -4225,7 +4260,10 @@ spec: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + description: |- + AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + + Deprecated: Use auth.accessToken instead. properties: secretRef: description: SecretRef is a reference to a secret containing the Pulumi API token. @@ -4258,6 +4296,91 @@ spec: default: https://api.pulumi.com/api/esc description: APIURL is the URL of the Pulumi API. type: string + auth: + description: |- + Auth configures how the Operator authenticates with the Pulumi API. + Either auth or the deprecated accessToken field must be specified. + properties: + accessToken: + description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + type: object + oidcConfig: + description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC. + properties: + expirationSeconds: + default: 600 + description: |- + ExpirationSeconds sets the token validity duration for service account and OIDC token. + Defaults to 10 minutes. + format: int64 + minimum: 600 + type: integer + organization: + description: Organization is the name of the Pulumi organization configured for OIDC authentication. + type: string + serviceAccountRef: + description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication. + properties: + audiences: + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + Namespace of the resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - organization + - serviceAccountRef + type: object + type: object + x-kubernetes-validations: + - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified + rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig)) environment: description: |- Environment are YAML documents composed of static key-value pairs, programmatic expressions, @@ -4274,11 +4397,13 @@ spec: description: Project is the name of the Pulumi ESC project the environment belongs to. type: string required: - - accessToken - environment - organization - project type: object + x-kubernetes-validations: + - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified + rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken)) scaleway: description: Scaleway configures this store to sync secrets using the Scaleway provider. properties: diff --git a/charts/external-secrets/crds/gcraccesstoken.yaml b/charts/external-secrets/crds/gcraccesstoken.yaml index 622a84e989..e191a7f441 100644 --- a/charts/external-secrets/crds/gcraccesstoken.yaml +++ b/charts/external-secrets/crds/gcraccesstoken.yaml @@ -204,6 +204,18 @@ spec: credential_source.url in the provided credConfig. This field is merely to double-check the external token source URL is having the expected value. type: string + gcpServiceAccountEmail: + description: |- + GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate + after Workload Identity Federation. Use this to grant access through the service account's + IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides + service_account_impersonation_url in the external account JSON from credConfig; + when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation + on that ServiceAccount. + example: my-gsa@my-project.iam.gserviceaccount.com + minLength: 1 + pattern: ^.*@.*\.iam\.gserviceaccount\.com$ + type: string serviceAccountRef: description: |- serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, diff --git a/charts/external-secrets/crds/secretstore.yaml b/charts/external-secrets/crds/secretstore.yaml index e7af514110..fb749674d2 100644 --- a/charts/external-secrets/crds/secretstore.yaml +++ b/charts/external-secrets/crds/secretstore.yaml @@ -488,6 +488,16 @@ spec: type: object type: object type: object + customSessionTags: + additionalProperties: + type: string + description: |- + CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom. + These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags. + type: object + x-kubernetes-validations: + - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind' + rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)' externalID: description: AWS External ID set on assumed IAM roles type: string @@ -543,6 +553,19 @@ spec: - value type: object type: array + sessionTagsPolicy: + default: None + description: |- + SessionTagsPolicy controls whether and how STS session tags are added when assuming roles. + None (default): no tags are added. + Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags. + Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags. + Note: the IAM role must have sts:TagSession permission when using Simple or Custom. + enum: + - None + - Simple + - Custom + type: string transitiveTagKeys: description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: @@ -1997,6 +2020,18 @@ spec: credential_source.url in the provided credConfig. This field is merely to double-check the external token source URL is having the expected value. type: string + gcpServiceAccountEmail: + description: |- + GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate + after Workload Identity Federation. Use this to grant access through the service account's + IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides + service_account_impersonation_url in the external account JSON from credConfig; + when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation + on that ServiceAccount. + example: my-gsa@my-project.iam.gserviceaccount.com + minLength: 1 + pattern: ^.*@.*\.iam\.gserviceaccount\.com$ + type: string serviceAccountRef: description: |- serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, @@ -4225,7 +4260,10 @@ spec: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + description: |- + AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + + Deprecated: Use auth.accessToken instead. properties: secretRef: description: SecretRef is a reference to a secret containing the Pulumi API token. @@ -4258,6 +4296,91 @@ spec: default: https://api.pulumi.com/api/esc description: APIURL is the URL of the Pulumi API. type: string + auth: + description: |- + Auth configures how the Operator authenticates with the Pulumi API. + Either auth or the deprecated accessToken field must be specified. + properties: + accessToken: + description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + type: object + oidcConfig: + description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC. + properties: + expirationSeconds: + default: 600 + description: |- + ExpirationSeconds sets the token validity duration for service account and OIDC token. + Defaults to 10 minutes. + format: int64 + minimum: 600 + type: integer + organization: + description: Organization is the name of the Pulumi organization configured for OIDC authentication. + type: string + serviceAccountRef: + description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication. + properties: + audiences: + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + Namespace of the resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - organization + - serviceAccountRef + type: object + type: object + x-kubernetes-validations: + - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified + rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig)) environment: description: |- Environment are YAML documents composed of static key-value pairs, programmatic expressions, @@ -4274,11 +4397,13 @@ spec: description: Project is the name of the Pulumi ESC project the environment belongs to. type: string required: - - accessToken - environment - organization - project type: object + x-kubernetes-validations: + - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified + rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken)) scaleway: description: Scaleway configures this store to sync secrets using the Scaleway provider. properties: diff --git a/charts/external-secrets/templates/cert-controller-deployment.yaml b/charts/external-secrets/templates/cert-controller-deployment.yaml index 3b2f036cd7..60851fed87 100644 --- a/charts/external-secrets/templates/cert-controller-deployment.yaml +++ b/charts/external-secrets/templates/cert-controller-deployment.yaml @@ -99,6 +99,15 @@ spec: - --{{ $key }} {{- end }} {{- end }} + {{- if .Values.certController.metrics.listen.secure.enabled }} + - --metrics-secure=true + - --metrics-cert-dir={{ .Values.certController.metrics.listen.secure.certDir }} + - --metrics-cert-name={{ .Values.certController.metrics.listen.secure.certFile }} + - --metrics-key-name={{ .Values.certController.metrics.listen.secure.keyFile }} + {{- end }} + {{- if .Values.certController.metrics.listen.auth.enabled }} + - --metrics-auth=true + {{- end }} ports: - containerPort: {{ .Values.certController.metrics.listen.port }} protocol: TCP diff --git a/charts/external-secrets/templates/cert-controller-rbac.yaml b/charts/external-secrets/templates/cert-controller-rbac.yaml index ec947e780f..6646ddab4a 100644 --- a/charts/external-secrets/templates/cert-controller-rbac.yaml +++ b/charts/external-secrets/templates/cert-controller-rbac.yaml @@ -76,6 +76,20 @@ rules: - "create" - "update" - "patch" + {{- if .Values.certController.metrics.listen.auth.enabled }} + - apiGroups: + - "authentication.k8s.io" + resources: + - "tokenreviews" + verbs: + - "create" + - apiGroups: + - "authorization.k8s.io" + resources: + - "subjectaccessreviews" + verbs: + - "create" + {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/external-secrets/templates/cert-controller-serviceaccount.yaml b/charts/external-secrets/templates/cert-controller-serviceaccount.yaml index 6a36f9d713..8e2ed761e5 100644 --- a/charts/external-secrets/templates/cert-controller-serviceaccount.yaml +++ b/charts/external-secrets/templates/cert-controller-serviceaccount.yaml @@ -14,3 +14,22 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} +--- +{{- if and .Values.certController.metrics.listen.auth.enabled .Values.certController.create .Values.certController.serviceAccount.create (not .Values.webhook.certManager.enabled) -}} +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: {{ include "external-secrets-cert-controller.serviceAccountName" . }}-token + namespace: {{ template "external-secrets.namespace" . }} + labels: + {{- include "external-secrets-cert-controller.labels" . | nindent 4 }} + {{- with .Values.certController.serviceAccount.extraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + kubernetes.io/service-account.name: {{ include "external-secrets-cert-controller.serviceAccountName" . }} + {{- with .Values.certController.serviceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/external-secrets/templates/crds/clustergenerator.yaml b/charts/external-secrets/templates/crds/clustergenerator.yaml index ad64bfd6a4..2a89ea70a2 100644 --- a/charts/external-secrets/templates/crds/clustergenerator.yaml +++ b/charts/external-secrets/templates/crds/clustergenerator.yaml @@ -571,6 +571,18 @@ spec: credential_source.url in the provided credConfig. This field is merely to double-check the external token source URL is having the expected value. type: string + gcpServiceAccountEmail: + description: |- + GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate + after Workload Identity Federation. Use this to grant access through the service account's + IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides + service_account_impersonation_url in the external account JSON from credConfig; + when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation + on that ServiceAccount. + example: my-gsa@my-project.iam.gserviceaccount.com + minLength: 1 + pattern: ^.*@.*\.iam\.gserviceaccount\.com$ + type: string serviceAccountRef: description: |- serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, diff --git a/charts/external-secrets/templates/crds/clustersecretstore.yaml b/charts/external-secrets/templates/crds/clustersecretstore.yaml index 3d28288097..b10d1dfd44 100644 --- a/charts/external-secrets/templates/crds/clustersecretstore.yaml +++ b/charts/external-secrets/templates/crds/clustersecretstore.yaml @@ -493,6 +493,16 @@ spec: type: object type: object type: object + customSessionTags: + additionalProperties: + type: string + description: |- + CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom. + These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags. + type: object + x-kubernetes-validations: + - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind' + rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)' externalID: description: AWS External ID set on assumed IAM roles type: string @@ -548,6 +558,19 @@ spec: - value type: object type: array + sessionTagsPolicy: + default: None + description: |- + SessionTagsPolicy controls whether and how STS session tags are added when assuming roles. + None (default): no tags are added. + Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags. + Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags. + Note: the IAM role must have sts:TagSession permission when using Simple or Custom. + enum: + - None + - Simple + - Custom + type: string transitiveTagKeys: description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: @@ -2002,6 +2025,18 @@ spec: credential_source.url in the provided credConfig. This field is merely to double-check the external token source URL is having the expected value. type: string + gcpServiceAccountEmail: + description: |- + GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate + after Workload Identity Federation. Use this to grant access through the service account's + IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides + service_account_impersonation_url in the external account JSON from credConfig; + when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation + on that ServiceAccount. + example: my-gsa@my-project.iam.gserviceaccount.com + minLength: 1 + pattern: ^.*@.*\.iam\.gserviceaccount\.com$ + type: string serviceAccountRef: description: |- serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, @@ -4230,7 +4265,10 @@ spec: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + description: |- + AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + + Deprecated: Use auth.accessToken instead. properties: secretRef: description: SecretRef is a reference to a secret containing the Pulumi API token. @@ -4263,6 +4301,91 @@ spec: default: https://api.pulumi.com/api/esc description: APIURL is the URL of the Pulumi API. type: string + auth: + description: |- + Auth configures how the Operator authenticates with the Pulumi API. + Either auth or the deprecated accessToken field must be specified. + properties: + accessToken: + description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + type: object + oidcConfig: + description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC. + properties: + expirationSeconds: + default: 600 + description: |- + ExpirationSeconds sets the token validity duration for service account and OIDC token. + Defaults to 10 minutes. + format: int64 + minimum: 600 + type: integer + organization: + description: Organization is the name of the Pulumi organization configured for OIDC authentication. + type: string + serviceAccountRef: + description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication. + properties: + audiences: + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + Namespace of the resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - organization + - serviceAccountRef + type: object + type: object + x-kubernetes-validations: + - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified + rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig)) environment: description: |- Environment are YAML documents composed of static key-value pairs, programmatic expressions, @@ -4279,11 +4402,13 @@ spec: description: Project is the name of the Pulumi ESC project the environment belongs to. type: string required: - - accessToken - environment - organization - project type: object + x-kubernetes-validations: + - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified + rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken)) scaleway: description: Scaleway configures this store to sync secrets using the Scaleway provider. properties: diff --git a/charts/external-secrets/templates/crds/gcraccesstoken.yaml b/charts/external-secrets/templates/crds/gcraccesstoken.yaml index 99fd513e7a..7b50284005 100644 --- a/charts/external-secrets/templates/crds/gcraccesstoken.yaml +++ b/charts/external-secrets/templates/crds/gcraccesstoken.yaml @@ -209,6 +209,18 @@ spec: credential_source.url in the provided credConfig. This field is merely to double-check the external token source URL is having the expected value. type: string + gcpServiceAccountEmail: + description: |- + GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate + after Workload Identity Federation. Use this to grant access through the service account's + IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides + service_account_impersonation_url in the external account JSON from credConfig; + when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation + on that ServiceAccount. + example: my-gsa@my-project.iam.gserviceaccount.com + minLength: 1 + pattern: ^.*@.*\.iam\.gserviceaccount\.com$ + type: string serviceAccountRef: description: |- serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, diff --git a/charts/external-secrets/templates/crds/secretstore.yaml b/charts/external-secrets/templates/crds/secretstore.yaml index 8242886f94..59c11851a8 100644 --- a/charts/external-secrets/templates/crds/secretstore.yaml +++ b/charts/external-secrets/templates/crds/secretstore.yaml @@ -493,6 +493,16 @@ spec: type: object type: object type: object + customSessionTags: + additionalProperties: + type: string + description: |- + CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom. + These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags. + type: object + x-kubernetes-validations: + - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind' + rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)' externalID: description: AWS External ID set on assumed IAM roles type: string @@ -548,6 +558,19 @@ spec: - value type: object type: array + sessionTagsPolicy: + default: None + description: |- + SessionTagsPolicy controls whether and how STS session tags are added when assuming roles. + None (default): no tags are added. + Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags. + Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags. + Note: the IAM role must have sts:TagSession permission when using Simple or Custom. + enum: + - None + - Simple + - Custom + type: string transitiveTagKeys: description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: @@ -2002,6 +2025,18 @@ spec: credential_source.url in the provided credConfig. This field is merely to double-check the external token source URL is having the expected value. type: string + gcpServiceAccountEmail: + description: |- + GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate + after Workload Identity Federation. Use this to grant access through the service account's + IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides + service_account_impersonation_url in the external account JSON from credConfig; + when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation + on that ServiceAccount. + example: my-gsa@my-project.iam.gserviceaccount.com + minLength: 1 + pattern: ^.*@.*\.iam\.gserviceaccount\.com$ + type: string serviceAccountRef: description: |- serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens, @@ -4230,7 +4265,10 @@ spec: description: Pulumi configures this store to sync secrets using the Pulumi provider properties: accessToken: - description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + description: |- + AccessToken is the access tokens to sign in to the Pulumi Cloud Console. + + Deprecated: Use auth.accessToken instead. properties: secretRef: description: SecretRef is a reference to a secret containing the Pulumi API token. @@ -4263,6 +4301,91 @@ spec: default: https://api.pulumi.com/api/esc description: APIURL is the URL of the Pulumi API. type: string + auth: + description: |- + Auth configures how the Operator authenticates with the Pulumi API. + Either auth or the deprecated accessToken field must be specified. + properties: + accessToken: + description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret. + properties: + secretRef: + description: SecretRef is a reference to a secret containing the Pulumi API token. + properties: + key: + description: |- + A key in the referenced Secret. + Some instances of this field may be defaulted, in others it may be required. + maxLength: 253 + minLength: 1 + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: The name of the Secret resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + The namespace of the Secret resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + type: object + type: object + oidcConfig: + description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC. + properties: + expirationSeconds: + default: 600 + description: |- + ExpirationSeconds sets the token validity duration for service account and OIDC token. + Defaults to 10 minutes. + format: int64 + minimum: 600 + type: integer + organization: + description: Organization is the name of the Pulumi organization configured for OIDC authentication. + type: string + serviceAccountRef: + description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication. + properties: + audiences: + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list + items: + type: string + type: array + name: + description: The name of the ServiceAccount resource being referred to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + namespace: + description: |- + Namespace of the resource being referred to. + Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - organization + - serviceAccountRef + type: object + type: object + x-kubernetes-validations: + - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified + rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig)) environment: description: |- Environment are YAML documents composed of static key-value pairs, programmatic expressions, @@ -4279,11 +4402,13 @@ spec: description: Project is the name of the Pulumi ESC project the environment belongs to. type: string required: - - accessToken - environment - organization - project type: object + x-kubernetes-validations: + - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified + rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken)) scaleway: description: Scaleway configures this store to sync secrets using the Scaleway provider. properties: diff --git a/charts/external-secrets/templates/deployment.yaml b/charts/external-secrets/templates/deployment.yaml index 4e461c2bbb..bcdd064de9 100644 --- a/charts/external-secrets/templates/deployment.yaml +++ b/charts/external-secrets/templates/deployment.yaml @@ -69,7 +69,6 @@ spec: {{- end }} image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.image "context" .) | trim }} imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if or (.Values.leaderElect) (.Values.scopedNamespace) (.Values.processClusterStore) (.Values.processClusterExternalSecret) (.Values.processClusterPushSecret) (.Values.concurrent) (.Values.extraArgs) }} args: {{- if .Values.leaderElect }} - --enable-leader-election=true @@ -77,10 +76,10 @@ spec: {{- if .Values.leaderElectionID }} - --leader-election-id={{ .Values.leaderElectionID }} {{- end }} - {{- if .Values.scopedNamespace }} - - --namespace={{ .Values.scopedNamespace }} + {{- if or .Values.scopedNamespace .Values.scopedRBAC }} + - --namespace={{ .Values.scopedNamespace | default .Release.Namespace }} {{- end }} - {{- if and .Values.scopedNamespace .Values.scopedRBAC }} + {{- if .Values.scopedRBAC }} - --enable-cluster-store-reconciler=false - --enable-cluster-external-secret-reconciler=false - --enable-cluster-push-secret-reconciler=false @@ -129,7 +128,6 @@ spec: - --{{ $key }} {{- end }} {{- end }} - {{- end }} - --metrics-addr=:{{ .Values.metrics.listen.port }} - --loglevel={{ .Values.log.level }} - --zap-time-encoding={{ .Values.log.timeEncoding }} @@ -146,6 +144,9 @@ spec: - --metrics-cert-name={{ .Values.metrics.listen.secure.certFile }} - --metrics-key-name={{ .Values.metrics.listen.secure.keyFile }} {{- end }} + {{- if .Values.metrics.listen.auth.enabled }} + - --metrics-auth=true + {{- end }} ports: - containerPort: {{ .Values.metrics.listen.port }} protocol: TCP diff --git a/charts/external-secrets/templates/rbac.yaml b/charts/external-secrets/templates/rbac.yaml index ca21bc5724..28084be117 100644 --- a/charts/external-secrets/templates/rbac.yaml +++ b/charts/external-secrets/templates/rbac.yaml @@ -1,14 +1,14 @@ {{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 -{{- if and .Values.scopedNamespace .Values.scopedRBAC }} +{{- if .Values.scopedRBAC }} kind: Role {{- else }} kind: ClusterRole {{- end }} metadata: name: {{ include "external-secrets.fullname" . }}-controller - {{- if and .Values.scopedNamespace .Values.scopedRBAC }} - namespace: {{ .Values.scopedNamespace | quote }} + {{- if .Values.scopedRBAC }} + namespace: {{ .Values.scopedNamespace | default .Release.Namespace | quote }} {{- end }} labels: {{- include "external-secrets.labels" . | nindent 4 }} @@ -180,12 +180,14 @@ rules: {{- end }} {{- end }} {{- end }} + {{- if .Values.rbac.serviceAccountTokenCreate }} - apiGroups: - "" resources: - "serviceaccounts/token" verbs: - "create" + {{- end }} - apiGroups: - "" resources: @@ -193,6 +195,7 @@ rules: verbs: - "create" - "patch" + {{- if .Values.processClusterExternalSecret }} - apiGroups: - "external-secrets.io" resources: @@ -201,6 +204,7 @@ rules: - "create" - "update" - "delete" + {{- end }} {{- if .Values.processPushSecret }} - apiGroups: - "external-secrets.io" @@ -211,17 +215,31 @@ rules: - "update" - "delete" {{- end }} + {{- if .Values.metrics.listen.auth.enabled }} + - apiGroups: + - "authentication.k8s.io" + resources: + - "tokenreviews" + verbs: + - "create" + - apiGroups: + - "authorization.k8s.io" + resources: + - "subjectaccessreviews" + verbs: + - "create" + {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 -{{- if and .Values.scopedNamespace .Values.scopedRBAC }} +{{- if .Values.scopedRBAC }} kind: Role {{- else }} kind: ClusterRole {{- end }} metadata: name: {{ include "external-secrets.fullname" . }}-view - {{- if and .Values.scopedNamespace .Values.scopedRBAC }} - namespace: {{ .Values.scopedNamespace | quote }} + {{- if .Values.scopedRBAC }} + namespace: {{ .Values.scopedNamespace | default .Release.Namespace | quote }} {{- end }} labels: {{- include "external-secrets.labels" . | nindent 4 }} @@ -278,15 +296,15 @@ rules: - "list" --- apiVersion: rbac.authorization.k8s.io/v1 -{{- if and .Values.scopedNamespace .Values.scopedRBAC }} +{{- if .Values.scopedRBAC }} kind: Role {{- else }} kind: ClusterRole {{- end }} metadata: name: {{ include "external-secrets.fullname" . }}-edit - {{- if and .Values.scopedNamespace .Values.scopedRBAC }} - namespace: {{ .Values.scopedNamespace | quote }} + {{- if .Values.scopedRBAC }} + namespace: {{ .Values.scopedNamespace | default .Release.Namespace | quote }} {{- end }} labels: {{- include "external-secrets.labels" . | nindent 4 }} @@ -344,21 +362,21 @@ rules: - "update" --- apiVersion: rbac.authorization.k8s.io/v1 -{{- if and .Values.scopedNamespace .Values.scopedRBAC }} +{{- if .Values.scopedRBAC }} kind: RoleBinding {{- else }} kind: ClusterRoleBinding {{- end }} metadata: name: {{ include "external-secrets.fullname" . }}-controller - {{- if and .Values.scopedNamespace .Values.scopedRBAC }} - namespace: {{ .Values.scopedNamespace | quote }} + {{- if .Values.scopedRBAC }} + namespace: {{ .Values.scopedNamespace | default .Release.Namespace | quote }} {{- end }} labels: {{- include "external-secrets.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io - {{- if and .Values.scopedNamespace .Values.scopedRBAC }} + {{- if .Values.scopedRBAC }} kind: Role {{- else }} kind: ClusterRole diff --git a/charts/external-secrets/templates/serviceaccount.yaml b/charts/external-secrets/templates/serviceaccount.yaml index ceaa98e1c5..4f3843ab37 100644 --- a/charts/external-secrets/templates/serviceaccount.yaml +++ b/charts/external-secrets/templates/serviceaccount.yaml @@ -14,3 +14,22 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} +--- +{{- if and .Values.metrics.listen.auth.enabled .Values.serviceAccount.create -}} +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: {{ include "external-secrets.serviceAccountName" . }}-token + namespace: {{ template "external-secrets.namespace" . }} + labels: + {{- include "external-secrets.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.extraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + kubernetes.io/service-account.name: {{ include "external-secrets.serviceAccountName" . }} + {{- with .Values.serviceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/external-secrets/templates/servicemonitor.yaml b/charts/external-secrets/templates/servicemonitor.yaml index 291dabce41..280984ba2a 100644 --- a/charts/external-secrets/templates/servicemonitor.yaml +++ b/charts/external-secrets/templates/servicemonitor.yaml @@ -30,6 +30,13 @@ spec: relabelings: {{- toYaml . | nindent 6 }} {{- end }} + {{- if .Values.metrics.listen.auth.enabled }} + authorization: + credentials: + name: {{ include "external-secrets.serviceAccountName" . }}-token + key: token + type: Bearer + {{- end }} --- {{- if .Values.webhook.create }} apiVersion: "monitoring.coreos.com/v1" @@ -62,6 +69,13 @@ spec: relabelings: {{- toYaml . | nindent 6 }} {{- end }} + {{- if .Values.webhook.metrics.listen.auth.enabled }} + authorization: + credentials: + name: {{ include "external-secrets-webhook.serviceAccountName" . }}-token + key: token + type: Bearer + {{- end }} {{- end }} --- {{- if .Values.certController.create }} @@ -95,5 +109,12 @@ spec: relabelings: {{- toYaml . | nindent 6 }} {{- end }} + {{- if .Values.certController.metrics.listen.auth.enabled }} + authorization: + credentials: + name: {{ include "external-secrets-cert-controller.serviceAccountName" . }}-token + key: token + type: Bearer + {{- end }} {{- end }} {{- end }} diff --git a/charts/external-secrets/templates/webhook-deployment.yaml b/charts/external-secrets/templates/webhook-deployment.yaml index 77c76c665f..dc9cf61645 100644 --- a/charts/external-secrets/templates/webhook-deployment.yaml +++ b/charts/external-secrets/templates/webhook-deployment.yaml @@ -91,6 +91,15 @@ spec: - --{{ $key }} {{- end }} {{- end }} + {{- if .Values.webhook.metrics.listen.secure.enabled }} + - --metrics-secure=true + - --metrics-cert-dir={{ .Values.webhook.metrics.listen.secure.certDir }} + - --metrics-cert-name={{ .Values.webhook.metrics.listen.secure.certFile }} + - --metrics-key-name={{ .Values.webhook.metrics.listen.secure.keyFile }} + {{- end }} + {{- if .Values.webhook.metrics.listen.auth.enabled }} + - --metrics-auth=true + {{- end }} ports: - containerPort: {{ .Values.webhook.metrics.listen.port }} protocol: TCP diff --git a/charts/external-secrets/templates/webhook-rbac.yaml b/charts/external-secrets/templates/webhook-rbac.yaml new file mode 100644 index 0000000000..e69e0e549d --- /dev/null +++ b/charts/external-secrets/templates/webhook-rbac.yaml @@ -0,0 +1,36 @@ +{{- if and .Values.webhook.metrics.listen.auth.enabled .Values.webhook.create .Values.webhook.serviceAccount.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "external-secrets.fullname" . }}-webhook-metrics-auth + labels: + {{- include "external-secrets-webhook.labels" . | nindent 4 }} +rules: + - apiGroups: + - "authentication.k8s.io" + resources: + - "tokenreviews" + verbs: + - "create" + - apiGroups: + - "authorization.k8s.io" + resources: + - "subjectaccessreviews" + verbs: + - "create" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "external-secrets.fullname" . }}-webhook-metrics-auth + labels: + {{- include "external-secrets-webhook.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "external-secrets.fullname" . }}-webhook-metrics-auth +subjects: + - name: {{ include "external-secrets-webhook.serviceAccountName" . }} + namespace: {{ template "external-secrets.namespace" . }} + kind: ServiceAccount +{{- end }} \ No newline at end of file diff --git a/charts/external-secrets/templates/webhook-serviceaccount.yaml b/charts/external-secrets/templates/webhook-serviceaccount.yaml index 1936218425..4fff9498ba 100644 --- a/charts/external-secrets/templates/webhook-serviceaccount.yaml +++ b/charts/external-secrets/templates/webhook-serviceaccount.yaml @@ -14,3 +14,22 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} +--- +{{- if and .Values.webhook.metrics.listen.auth.enabled .Values.webhook.create .Values.webhook.serviceAccount.create -}} +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: {{ include "external-secrets-webhook.serviceAccountName" . }}-token + namespace: {{ template "external-secrets.namespace" . }} + labels: + {{- include "external-secrets-webhook.labels" . | nindent 4 }} + {{- with .Values.webhook.serviceAccount.extraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + kubernetes.io/service-account.name: {{ include "external-secrets-webhook.serviceAccountName" . }} + {{- with .Values.webhook.serviceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/external-secrets/values.schema.json b/charts/external-secrets/values.schema.json index 64aa91d74b..0c36f371db 100644 --- a/charts/external-secrets/values.schema.json +++ b/charts/external-secrets/values.schema.json @@ -121,8 +121,33 @@ "listen": { "type": "object", "properties": { + "auth": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "port": { "type": "integer" + }, + "secure": { + "type": "object", + "properties": { + "certDir": { + "type": "string" + }, + "certFile": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "keyFile": { + "type": "string" + } + } } } }, @@ -585,6 +610,14 @@ "listen": { "type": "object", "properties": { + "auth": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "port": { "type": "integer" }, @@ -702,6 +735,9 @@ "create": { "type": "boolean" }, + "serviceAccountTokenCreate": { + "type": "boolean" + }, "servicebindings": { "type": "object", "properties": { @@ -1070,8 +1106,33 @@ "listen": { "type": "object", "properties": { + "auth": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, "port": { "type": "integer" + }, + "secure": { + "type": "object", + "properties": { + "certDir": { + "type": "string" + }, + "certFile": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "keyFile": { + "type": "string" + } + } } } }, diff --git a/charts/external-secrets/values.yaml b/charts/external-secrets/values.yaml index f91ec9f5a7..d75f721ef2 100644 --- a/charts/external-secrets/values.yaml +++ b/charts/external-secrets/values.yaml @@ -108,8 +108,8 @@ extendedMetricLabels: false # provided namespace scopedNamespace: "" -# -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace -# and implicitly disable cluster stores and cluster external secrets +# -- If true, create scoped RBAC roles and implicitly disable cluster-scoped +# controllers. Scoped to scopedNamespace if set, otherwise to .Release.Namespace. scopedRBAC: false # -- If true the OpenShift finalizer permissions will be added to RBAC @@ -197,6 +197,11 @@ rbac: # -- Specifies whether role and rolebinding resources should be created. create: true + # -- Specifies whether the serviceaccounts/token create permission is included in the controller RBAC. + # When set to false, users must create per-ServiceAccount Role/RoleBinding with resourceNames constraint + # to grant ESO token creation for specific ServiceAccounts referenced in SecretStore specs. + serviceAccountTokenCreate: true + servicebindings: # -- Specifies whether a clusterrole to give servicebindings read access should be created. create: true @@ -316,6 +321,9 @@ metrics: listen: port: 8080 + auth: + # -- Enable Kubernetes RBAC-based authentication for metrics endpoint. Requires metrics.listen.secure to be true. Default value is false. + enabled: false secure: enabled: false # -- if those are not set or invalid, self-signed certs will be generated @@ -551,6 +559,18 @@ webhook: listen: port: 8080 + auth: + # -- Enable Kubernetes RBAC-based authentication for webhook's metrics endpoint. Requires webhook.metrics.listen.secure to be true. Default value is false. + enabled: false + secure: + enabled: false + # -- if those are not set or invalid, self-signed certs will be generated + # -- TLS cert directory path + certDir: /etc/tls + # -- TLS cert file path + certFile: /etc/tls/tls.crt + # -- TLS key file path + keyFile: /etc/tls/tls.key service: # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics @@ -715,6 +735,18 @@ certController: listen: port: 8080 + auth: + # -- Enable Kubernetes RBAC-based authentication for certController's metrics endpoint. Requires certController.metrics.listen.secure to be true. Default value is false. + enabled: false + secure: + enabled: false + # -- if those are not set or invalid, self-signed certs will be generated + # -- TLS cert directory path + certDir: /etc/tls + # -- TLS cert file path + certFile: /etc/tls/tls.crt + # -- TLS key file path + keyFile: /etc/tls/tls.key service: # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics