Skip to content

Commit

Permalink
Take ownership of an existing destination secret (hashicorp#545)
Browse files Browse the repository at this point in the history 
Adds a new configuration option spec.destination.overwrite that when set
to true VSO will replace an existing destination secret that it does not
currently own. VSO will then take ownership of the destination secret's
life-cycle.
  • Loading branch information
@benashz @kishoregv
benashz authored and kishoregv committed Feb 12, 2024
1 parent d38f974 commit f8bb201
Show file tree
Hide file tree
Showing 12 changed files with 177 additions and 37 deletions.
7 changes: 6 additions & 1 deletion api/v1beta1/common.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,12 @@ type Destination struct {
Name string `json:"name"`
// Create the destination Secret.
// If the Secret already exists this should be set to false.
Create bool `json:"create,omitempty"`
// +kubebuilder:default=false
Create bool `json:"create"`
// Overwrite the destination Secret if it exists and Create is true. This is
// useful when migrating to VSO from a previous secret deployment strategy.
// +kubebuilder:default=false
Overwrite bool `json:"overwrite"`
// Labels to apply to the Secret. Requires Create to be set to true.
Labels map[string]string `json:"labels,omitempty"`
// Annotations to apply to the Secret. Requires Create to be set to true.
Expand Down
9 changes: 9 additions & 0 deletions chart/crds/secrets.hashicorp.com_hcpvaultsecretsapps.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ spec:
to be set to true.
type: object
create:
default: false
description: Create the destination Secret. If the Secret already
exists this should be set to false.
type: boolean
Expand All @@ -65,12 +66,20 @@ spec:
name:
description: Name of the Secret
type: string
overwrite:
default: false
description: Overwrite the destination Secret if it exists and
Create is true. This is useful when migrating to VSO from a
previous secret deployment strategy.
type: boolean
type:
description: Type of Kubernetes Secret. Requires Create to be
set to true. Defaults to Opaque.
type: string
required:
- create
- name
- overwrite
type: object
hcpAuthRef:
description: 'HCPAuthRef to the HCPAuth resource, can be prefixed
Expand Down
9 changes: 9 additions & 0 deletions chart/crds/secrets.hashicorp.com_vaultdynamicsecrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ spec:
to be set to true.
type: object
create:
default: false
description: Create the destination Secret. If the Secret already
exists this should be set to false.
type: boolean
Expand All @@ -68,12 +69,20 @@ spec:
name:
description: Name of the Secret
type: string
overwrite:
default: false
description: Overwrite the destination Secret if it exists and
Create is true. This is useful when migrating to VSO from a
previous secret deployment strategy.
type: boolean
type:
description: Type of Kubernetes Secret. Requires Create to be
set to true. Defaults to Opaque.
type: string
required:
- create
- name
- overwrite
type: object
mount:
description: Mount path of the secret's engine in Vault.
Expand Down
9 changes: 9 additions & 0 deletions chart/crds/secrets.hashicorp.com_vaultpkisecrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ spec:
to be set to true.
type: object
create:
default: false
description: Create the destination Secret. If the Secret already
exists this should be set to false.
type: boolean
Expand All @@ -77,12 +78,20 @@ spec:
name:
description: Name of the Secret
type: string
overwrite:
default: false
description: Overwrite the destination Secret if it exists and
Create is true. This is useful when migrating to VSO from a
previous secret deployment strategy.
type: boolean
type:
description: Type of Kubernetes Secret. Requires Create to be
set to true. Defaults to Opaque.
type: string
required:
- create
- name
- overwrite
type: object
excludeCNFromSans:
description: 'ExcludeCNFromSans from DNS or Email Subject Alternate
Expand Down
9 changes: 9 additions & 0 deletions chart/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ spec:
to be set to true.
type: object
create:
default: false
description: Create the destination Secret. If the Secret already
exists this should be set to false.
type: boolean
Expand All @@ -60,12 +61,20 @@ spec:
name:
description: Name of the Secret
type: string
overwrite:
default: false
description: Overwrite the destination Secret if it exists and
Create is true. This is useful when migrating to VSO from a
previous secret deployment strategy.
type: boolean
type:
description: Type of Kubernetes Secret. Requires Create to be
set to true. Defaults to Opaque.
type: string
required:
- create
- name
- overwrite
type: object
hmacSecretData:
default: true
Expand Down
9 changes: 9 additions & 0 deletions config/crd/bases/secrets.hashicorp.com_hcpvaultsecretsapps.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ spec:
to be set to true.
type: object
create:
default: false
description: Create the destination Secret. If the Secret already
exists this should be set to false.
type: boolean
Expand All @@ -65,12 +66,20 @@ spec:
name:
description: Name of the Secret
type: string
overwrite:
default: false
description: Overwrite the destination Secret if it exists and
Create is true. This is useful when migrating to VSO from a
previous secret deployment strategy.
type: boolean
type:
description: Type of Kubernetes Secret. Requires Create to be
set to true. Defaults to Opaque.
type: string
required:
- create
- name
- overwrite
type: object
hcpAuthRef:
description: 'HCPAuthRef to the HCPAuth resource, can be prefixed
Expand Down
9 changes: 9 additions & 0 deletions config/crd/bases/secrets.hashicorp.com_vaultdynamicsecrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ spec:
to be set to true.
type: object
create:
default: false
description: Create the destination Secret. If the Secret already
exists this should be set to false.
type: boolean
Expand All @@ -68,12 +69,20 @@ spec:
name:
description: Name of the Secret
type: string
overwrite:
default: false
description: Overwrite the destination Secret if it exists and
Create is true. This is useful when migrating to VSO from a
previous secret deployment strategy.
type: boolean
type:
description: Type of Kubernetes Secret. Requires Create to be
set to true. Defaults to Opaque.
type: string
required:
- create
- name
- overwrite
type: object
mount:
description: Mount path of the secret's engine in Vault.
Expand Down
9 changes: 9 additions & 0 deletions config/crd/bases/secrets.hashicorp.com_vaultpkisecrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ spec:
to be set to true.
type: object
create:
default: false
description: Create the destination Secret. If the Secret already
exists this should be set to false.
type: boolean
Expand All @@ -77,12 +78,20 @@ spec:
name:
description: Name of the Secret
type: string
overwrite:
default: false
description: Overwrite the destination Secret if it exists and
Create is true. This is useful when migrating to VSO from a
previous secret deployment strategy.
type: boolean
type:
description: Type of Kubernetes Secret. Requires Create to be
set to true. Defaults to Opaque.
type: string
required:
- create
- name
- overwrite
type: object
excludeCNFromSans:
description: 'ExcludeCNFromSans from DNS or Email Subject Alternate
Expand Down
9 changes: 9 additions & 0 deletions config/crd/bases/secrets.hashicorp.com_vaultstaticsecrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ spec:
to be set to true.
type: object
create:
default: false
description: Create the destination Secret. If the Secret already
exists this should be set to false.
type: boolean
Expand All @@ -60,12 +61,20 @@ spec:
name:
description: Name of the Secret
type: string
overwrite:
default: false
description: Overwrite the destination Secret if it exists and
Create is true. This is useful when migrating to VSO from a
previous secret deployment strategy.
type: boolean
type:
description: Type of Kubernetes Secret. Requires Create to be
set to true. Defaults to Opaque.
type: string
required:
- create
- name
- overwrite
type: object
hmacSecretData:
default: true
Expand Down
1 change: 1 addition & 0 deletions docs/api/api-reference.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ _Appears in:_
| --- | --- |
| `name` _string_ | Name of the Secret |
| `create` _boolean_ | Create the destination Secret. If the Secret already exists this should be set to false. |
| `overwrite` _boolean_ | Overwrite the destination Secret if it exists and Create is true. This is useful when migrating to VSO from a previous secret deployment strategy. |
| `labels` _object (keys:string, values:string)_ | Labels to apply to the Secret. Requires Create to be set to true. |
| `annotations` _object (keys:string, values:string)_ | Annotations to apply to the Secret. Requires Create to be set to true. |
| `type` _[SecretType](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secrettype-v1-core)_ | Type of Kubernetes Secret. Requires Create to be set to true. Defaults to Opaque. |
Expand Down
Loading

0 comments on commit f8bb201

Please sign in to comment.