Merge pull request #36 from itscontained/backend/gcp

Add GCP Secret Manager Backend
itscontained · Sep 16, 2020 · 2eb37b5 · 2eb37b5
2 parents 5139d92 + d765be1
commit 2eb37b5
Show file tree

Hide file tree

Showing 29 changed files with 858 additions and 69 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -9,6 +9,21 @@ repos:
         types: ['file']
         files: '^deploy/charts/.*(\.ya?ml|\.tpl|\.helmignore|NOTES.txt)'
         entry: -u 0 quay.io/helmpack/chart-testing:v3.0.0 ct lint --config .ct.yaml
+      - id: make-fmt
+        name: "make fmt"
+        language: system
+        pass_filenames: false
+        entry: make fmt
+      - id: make-lint
+        name: "make lint"
+        language: system
+        pass_filenames: false
+        entry: make lint
+      - id: make-test
+        name: "make test"
+        language: system
+        pass_filenames: false
+        entry: make test
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v3.2.0
     hooks:

diff --git a/Dockerfile b/Dockerfile
@@ -10,10 +10,14 @@ COPY go.sum go.sum
 RUN go mod download
 
 # Copy the go source
-COPY cmd/ cmd/
-COPY pkg/ pkg/
+COPY cmd cmd/
+COPY pkg pkg/
 COPY Makefile Makefile
 
+# Copy the dirs for make
+COPY build build/
+COPY .git .git/
+
 # Build
 RUN make build
 

diff --git a/Makefile b/Makefile
@@ -66,8 +66,8 @@ manifests: controller-gen ## Generate CRD manifests
 generate: controller-gen ## Generate CRD code
 	$(CONTROLLER_GEN) object:headerFile="build/boilerplate.go.txt" paths="./pkg/apis/..."
 
-docker-build: manifests generate test build ## Build the docker image
-	docker build . -t $(IMG)
+docker-build: manifests generate test ## Build the docker image
+	docker build . -t $(IMG) --load
 
 crds-to-chart: ## copy crds to helm chart directory
 	cp deploy/crds/*.yaml $(HELM_DIR)/templates/crds/; \
@@ -79,7 +79,9 @@ docker-build-kind-deploy: docker-build crds-to-chart ## copy
 	kind load docker-image ${IMG} --name test
 	kind export kubeconfig --name test --kubeconfig $(HOME)/.kube/configs/kind-test.yaml
 	kubie ctx kind-test --namespace kube-system
-	helm upgrade secret-manager $(HELM_DIR)/. -f values.yaml --set image.tag=$(IMG_TAG),image.pullPolicy=IfNotPresent,installCRDs=true --namespace kube-system --install
+	helm upgrade secret-manager $(HELM_DIR)/. -f  $(HELM_DIR)/values.yaml \
+	--set image.tag=$(IMG_TAG),image.pullPolicy=IfNotPresent,installCRDs=true,leaderElect=false \
+	--namespace kube-system --install
 
 docker-push: ## Push the docker image
 	docker push ${IMG}

diff --git a/README.md b/README.md
@@ -6,9 +6,12 @@ SecretStores.
 ### Supported
 * Hashicorp Vault
 * AWS SecretManager
-### Planned
 * GCP Secret Manager
 
+### Planned
+* Azure Key Vault
+* Bitwarden
+
 ## Inspiration
 Inspired by the great work done by the contributors over at [godaddy/kubernetes-external-secrets][1] and
 [jetstack/cert-manager][2], This project aims to take some of the best ideas from both projects for managing secrets.

diff --git a/deploy/charts/secret-manager/Chart.yaml b/deploy/charts/secret-manager/Chart.yaml
@@ -15,7 +15,6 @@ keywords:
   - crd
 home: https://github.com/itscontained/secret-manager
 sources:
-  - https://github.com/itscontained/secret-manager
   - https://hub.docker.com/r/itscontained/secret-manager
   - https://quay.io/repository/itscontained/secret-manager
   - https://github.com/orgs/itscontained/packages/container/secret-manager
@@ -24,3 +23,19 @@ maintainers:
     email: [email protected]
   - name: mcavoyk
     email: [email protected]
+annotations:
+  artifacthub.io/operator: true
+  artifacthub.io/links: |
+    - name: Source Code
+      url: https://github.com/itscontained/secret-manager
+    - name: DockerHub Image
+      url: https://hub.docker.com/r/itscontained/secret-manager
+    - name: Quay.io Image
+      url: https://quay.io/repository/itscontained/secret-manager
+    - name: GHCR Image
+      url: https://github.com/orgs/itscontained/packages/container/secret-manager
+  artifacthub.io/maintainers: |
+    - name: Nicholas St. Germain
+      email: [email protected]
+    - name: Kellin McAvoy
+      email: [email protected]
diff --git a/deploy/charts/secret-manager/templates/NOTES.txt b/deploy/charts/secret-manager/templates/NOTES.txt
@@ -4,6 +4,4 @@ In order to begin using ExternalSecrets, you will need to set up a SecretStore
 or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore).
 
 More information on the different types of SecretStores and how to configure them
-can be found in our Github:
-
-https://github.com/itscontained/secret-manager
+can be found in our Github: https://github.com/itscontained/secret-manager
diff --git a/deploy/charts/secret-manager/templates/deployment.yaml b/deploy/charts/secret-manager/templates/deployment.yaml
@@ -54,6 +54,8 @@ spec:
             {{- if .Values.leaderElect }}
           - --leader-elect=true
           - --leader-election-namespace={{ .Release.Namespace }}
+            {{- else }}
+          - --leader-elect=false
             {{- end }}
           {{- range $arg := .Values.extraArgs }}
           - {{ $arg }}

diff --git a/deploy/crds/legacy/secret-manager.itscontained.io_clustersecretstores.yaml b/deploy/crds/legacy/secret-manager.itscontained.io_clustersecretstores.yaml
@@ -124,6 +124,50 @@ spec:
                   description: Region configures the region to send requests to.
                   type: string
               type: object
+            gcp:
+              description: GCP configures this store to sync secrets using GCP Secret
+                Manager
+              properties:
+                authSecretRef:
+                  description: Auth configures how secret-manager authenticates with
+                    GCP Secret Manager.
+                  properties:
+                    filePath:
+                      description: 'The FilePath string is used for authentication
+                        using a gcp credentials json file. If not set we fall-back
+                        to using `GOOGLE_APPLICATION_CREDENTIALS` or the default service
+                        account of the compute engine see: https://cloud.google.com/docs/authentication/production'
+                      type: string
+                    json:
+                      description: 'The JSON secret key selector is used for authentication.
+                        If not set we fall-back to using `GOOGLE_APPLICATION_CREDENTIALS`
+                        or the default service account of the compute engine see:
+                        https://cloud.google.com/docs/authentication/production'
+                      properties:
+                        key:
+                          description: The key of the entry in the Secret resource's
+                            `data` field to be used. Some instances of this field
+                            may be defaulted, in others it may be required.
+                          type: string
+                        name:
+                          description: 'Name of the resource being referred to. More
+                            info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                          type: string
+                        namespace:
+                          description: Namespace of the resource being referred to.
+                            Ignored if referent is not cluster-scoped. cluster-scoped
+                            defaults to the namespace of the referent.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                  type: object
+                projectID:
+                  description: ProjectID is a convenience string to allow the shortening
+                    of secret paths. When set, the prefix projects/<ProjectID> can
+                    be removed from the name
+                  type: string
+              type: object
             vault:
               description: Vault configures this store to sync secrets using a HashiCorp
                 Vault KV backend.

diff --git a/deploy/crds/legacy/secret-manager.itscontained.io_externalsecrets.yaml b/deploy/crds/legacy/secret-manager.itscontained.io_externalsecrets.yaml
@@ -59,6 +59,9 @@ spec:
               description: Data is a list of references to secret values.
               items:
                 properties:
+                  namespace:
+                    description: Namespace of the secret. Ignored if SecretStore
+                    type: string
                   remoteRef:
                     description: RemoteRef describes the path and other parameters
                       to access the secret for the specific SecretStore

diff --git a/deploy/crds/legacy/secret-manager.itscontained.io_secretstores.yaml b/deploy/crds/legacy/secret-manager.itscontained.io_secretstores.yaml
@@ -124,6 +124,50 @@ spec:
                   description: Region configures the region to send requests to.
                   type: string
               type: object
+            gcp:
+              description: GCP configures this store to sync secrets using GCP Secret
+                Manager
+              properties:
+                authSecretRef:
+                  description: Auth configures how secret-manager authenticates with
+                    GCP Secret Manager.
+                  properties:
+                    filePath:
+                      description: 'The FilePath string is used for authentication
+                        using a gcp credentials json file. If not set we fall-back
+                        to using `GOOGLE_APPLICATION_CREDENTIALS` or the default service
+                        account of the compute engine see: https://cloud.google.com/docs/authentication/production'
+                      type: string
+                    json:
+                      description: 'The JSON secret key selector is used for authentication.
+                        If not set we fall-back to using `GOOGLE_APPLICATION_CREDENTIALS`
+                        or the default service account of the compute engine see:
+                        https://cloud.google.com/docs/authentication/production'
+                      properties:
+                        key:
+                          description: The key of the entry in the Secret resource's
+                            `data` field to be used. Some instances of this field
+                            may be defaulted, in others it may be required.
+                          type: string
+                        name:
+                          description: 'Name of the resource being referred to. More
+                            info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                          type: string
+                        namespace:
+                          description: Namespace of the resource being referred to.
+                            Ignored if referent is not cluster-scoped. cluster-scoped
+                            defaults to the namespace of the referent.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                  type: object
+                projectID:
+                  description: ProjectID is a convenience string to allow the shortening
+                    of secret paths. When set, the prefix projects/<ProjectID> can
+                    be removed from the name
+                  type: string
+              type: object
             vault:
               description: Vault configures this store to sync secrets using a HashiCorp
                 Vault KV backend.

diff --git a/deploy/crds/secret-manager.itscontained.io_clustersecretstores.yaml b/deploy/crds/secret-manager.itscontained.io_clustersecretstores.yaml
@@ -123,6 +123,50 @@ spec:
                     description: Region configures the region to send requests to.
                     type: string
                 type: object
+              gcp:
+                description: GCP configures this store to sync secrets using GCP Secret
+                  Manager
+                properties:
+                  authSecretRef:
+                    description: Auth configures how secret-manager authenticates
+                      with GCP Secret Manager.
+                    properties:
+                      filePath:
+                        description: 'The FilePath string is used for authentication
+                          using a gcp credentials json file. If not set we fall-back
+                          to using `GOOGLE_APPLICATION_CREDENTIALS` or the default
+                          service account of the compute engine see: https://cloud.google.com/docs/authentication/production'
+                        type: string
+                      json:
+                        description: 'The JSON secret key selector is used for authentication.
+                          If not set we fall-back to using `GOOGLE_APPLICATION_CREDENTIALS`
+                          or the default service account of the compute engine see:
+                          https://cloud.google.com/docs/authentication/production'
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: Namespace of the resource being referred
+                              to. Ignored if referent is not cluster-scoped. cluster-scoped
+                              defaults to the namespace of the referent.
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    type: object
+                  projectID:
+                    description: ProjectID is a convenience string to allow the shortening
+                      of secret paths. When set, the prefix projects/<ProjectID> can
+                      be removed from the name
+                    type: string
+                type: object
               vault:
                 description: Vault configures this store to sync secrets using a HashiCorp
                   Vault KV backend.

diff --git a/deploy/crds/secret-manager.itscontained.io_externalsecrets.yaml b/deploy/crds/secret-manager.itscontained.io_externalsecrets.yaml
@@ -58,6 +58,9 @@ spec:
                 description: Data is a list of references to secret values.
                 items:
                   properties:
+                    namespace:
+                      description: Namespace of the secret. Ignored if SecretStore
+                      type: string
                     remoteRef:
                       description: RemoteRef describes the path and other parameters
                         to access the secret for the specific SecretStore

diff --git a/deploy/crds/secret-manager.itscontained.io_secretstores.yaml b/deploy/crds/secret-manager.itscontained.io_secretstores.yaml
@@ -123,6 +123,50 @@ spec:
                     description: Region configures the region to send requests to.
                     type: string
                 type: object
+              gcp:
+                description: GCP configures this store to sync secrets using GCP Secret
+                  Manager
+                properties:
+                  authSecretRef:
+                    description: Auth configures how secret-manager authenticates
+                      with GCP Secret Manager.
+                    properties:
+                      filePath:
+                        description: 'The FilePath string is used for authentication
+                          using a gcp credentials json file. If not set we fall-back
+                          to using `GOOGLE_APPLICATION_CREDENTIALS` or the default
+                          service account of the compute engine see: https://cloud.google.com/docs/authentication/production'
+                        type: string
+                      json:
+                        description: 'The JSON secret key selector is used for authentication.
+                          If not set we fall-back to using `GOOGLE_APPLICATION_CREDENTIALS`
+                          or the default service account of the compute engine see:
+                          https://cloud.google.com/docs/authentication/production'
+                        properties:
+                          key:
+                            description: The key of the entry in the Secret resource's
+                              `data` field to be used. Some instances of this field
+                              may be defaulted, in others it may be required.
+                            type: string
+                          name:
+                            description: 'Name of the resource being referred to.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: Namespace of the resource being referred
+                              to. Ignored if referent is not cluster-scoped. cluster-scoped
+                              defaults to the namespace of the referent.
+                            type: string
+                        required:
+                        - name
+                        type: object
+                    type: object
+                  projectID:
+                    description: ProjectID is a convenience string to allow the shortening
+                      of secret paths. When set, the prefix projects/<ProjectID> can
+                      be removed from the name
+                    type: string
+                type: object
               vault:
                 description: Vault configures this store to sync secrets using a HashiCorp
                   Vault KV backend.

diff --git a/go.mod b/go.mod
@@ -3,6 +3,7 @@ module github.com/itscontained/secret-manager
 go 1.14
 
 require (
+	cloud.google.com/go v0.65.0
 	github.com/aws/aws-sdk-go-v2 v0.24.0
 	github.com/go-logr/logr v0.2.1-0.20200730175230-ee2de8da5be6
 	github.com/go-logr/zapr v0.2.0 // indirect
@@ -15,6 +16,8 @@ require (
 	github.com/spf13/cobra v1.0.0
 	github.com/spf13/pflag v1.0.5
 	go.uber.org/zap v1.15.0 // indirect
+	google.golang.org/api v0.30.0
+	google.golang.org/genproto v0.0.0-20200911024640-645f7a48b24f
 	k8s.io/api v0.18.6
 	k8s.io/apimachinery v0.18.6
 	k8s.io/client-go v0.18.6