feat: allow to watch externalsecrets in specified namespaces

README.md

@@ -230,9 +230,12 @@ spec:
  name: .dockerconfigjson
 ```
 
-## Enforcing naming conventions for backend keys
+## Scoping access
 
-by default an `ExternalSecret` may access arbitrary keys from the backend e.g.
+### Using Namespace annotation
+
+Enforcing naming conventions for backend keys could be done by using namespace annotations.
+By default an `ExternalSecret` may access arbitrary keys from the backend e.g.
 
 ```yml
  data:
@@ -256,6 +259,31 @@ metadata:
  externalsecrets.kubernetes-client.io/permitted-key-name: "/dev/cluster1/core-namespace/.*"
 ```
 
+### Using ExternalSecret controller config
+
+ExternalSecret config allows scoping the access of kubernetes-external-secrets controller.
+This allows to deploy multi kubernetes-external-secrets instances at the same cluster
+and each instance can access a set of predefined namespaces.
+
+To enable this option, set the env var in the controller side with a list of namespaces:
+```yaml
+env:
+ WATCHED_NAMESPACES: "default,qa,dev"
+```
+
+Finally, in case more than a kubernetes-external-secrets is deployment,
+it's recommended to make only one deployment is the CRD manager,
+and disable CRD management in the rest of the deployment
+to avoid having multiple deployments fighting over the CRD.
+
+That's could be done in the controller side by setting the env var:
+```yaml
+env:
+ DISABLE_CUSTOM_RESOURCE_MANAGER: true
+```
+
+Or in Helm, by setting `customResourceManagerDisabled=true`.
+
 ## Deprecations
 
 A few properties has changed name overtime, we still maintain backwards compatbility with these but they will eventually be removed, and they are not validated using the CRD validation.

bin/daemon.js

@@ -26,7 +26,8 @@ const {
  rolePermittedAnnotation,
  namingPermittedAnnotation,
  enforceNamespaceAnnotation,
- watchTimeout
+ watchTimeout,
+ watchedNamespaces
 } = require('../config')
 
 async function main () {
@@ -37,6 +38,7 @@ async function main () {
 
  const externalSecretEvents = getExternalSecretEvents({
  kubeClient,
+ watchedNamespaces,
  customResourceManifest,
  logger,
  watchTimeout

config/environment.js

@@ -41,6 +41,17 @@ const metricsPort = process.env.METRICS_PORT || 3001
 const customResourceManagerDisabled = 'DISABLE_CUSTOM_RESOURCE_MANAGER' in process.env
 const watchTimeout = process.env.WATCH_TIMEOUT ? parseInt(process.env.WATCH_TIMEOUT) : 60000
 
+// A comma-separated list of watched namespaces. If set, only ExternalSecrets in those namespaces will be handled.
+let watchedNamespaces = process.env.WATCHED_NAMESPACES || ''
+
+// Return an array after splitting the watched namespaces string and clean up user input.
+watchedNamespaces = watchedNamespaces
+ .split(',')
+ // Remove any extra spaces.
+ .map(namespace => { return namespace.trim() })
+ // Remove empty values (in case there is a tailing comma).
+ .filter(namespace => namespace)
+
 module.exports = {
  vaultEndpoint,
  vaultNamespace,
@@ -58,5 +69,6 @@ module.exports = {
  customResourceManagerDisabled,
  useHumanReadableLogLevels,
  logMessageKey,
- watchTimeout
+ watchTimeout,
+ watchedNamespaces
 }

lib/external-secret.js

@@ -24,6 +24,7 @@ function createEventQueue () {
 
 async function startWatcher ({
  kubeClient,
+ watchedNamespaces,
  customResourceManifest,
  logger,
  eventQueue,
@@ -35,13 +36,21 @@ async function startWatcher ({
  while (true) {
  logger.debug('Starting watch stream')
 
- const stream = kubeClient
- .apis[customResourceManifest.spec.group]
- .v1.watch[customResourceManifest.spec.names.plural]
- .getStream()
-
  const jsonStream = new JSONStream()
- stream.pipe(jsonStream)
+
+ // If the watchedNamespaces is an empty array (i.e. no scoped access),
+ // add an empty element so all ExternalSecret resources in all namespaces will be watched.
+ const namespacesStreams = watchedNamespaces.length ? watchedNamespaces : ['']
+
+ // Create a namespace stream per namespace and add it to the JSON stream.
+ namespacesStreams.map(namespace => {
+ return kubeClient
+ .apis[customResourceManifest.spec.group]
+ .v1.watch
+ .namespaces(namespace)[customResourceManifest.spec.names.plural]
+ .getStream()
+ .pipe(jsonStream)
+ })
 
  let timeout
  const restartTimeout = () => {
@@ -52,7 +61,9 @@ async function startWatcher ({
  const timeMs = watchTimeout
  timeout = setTimeout(() => {
  logger.info(`No watch event for ${timeMs} ms, restarting watcher`)
- stream.abort()
+ namespacesStreams.forEach(namespaceStream => {
+ namespaceStream.abort();
+ })
  }, timeMs)
  timeout.unref()
  }
@@ -78,7 +89,9 @@ async function startWatcher ({
  logger.info('Stopping watch stream due to event: %s', deathEvent)
  eventQueue.put({ type: 'DELETED_ALL' })
 
- stream.abort()
+ namespacesStreams.forEach(namespaceStream => {
+ namespaceStream.abort()
+ })
  }
  } catch (err) {
  logger.error(err, 'Watcher crashed')
@@ -89,11 +102,13 @@ async function startWatcher ({
  * Get a stream of external secret events. This implementation uses
  * watch and yields as a stream of events.
  * @param {Object} kubeClient - Client for interacting with kubernetes cluster.
+ * @param {Array} watchedNamespaces - List of scoped namespaces.
  * @param {Object} customResourceManifest - Custom resource manifest.
  * @returns {Object} An async generator that yields externalsecret events.
  */
 function getExternalSecretEvents ({
  kubeClient,
+ watchedNamespaces,
  customResourceManifest,
  logger,
  watchTimeout
@@ -103,6 +118,7 @@ function getExternalSecretEvents ({
 
  startWatcher({
  kubeClient,
+ watchedNamespaces,
  customResourceManifest,
  logger,
  eventQueue,

lib/external-secret.test.js

@@ -9,6 +9,7 @@ const { getExternalSecretEvents } = require('./external-secret')
 
 describe('getExternalSecretEvents', () => {
  let kubeClientMock
+ let watchedNamespaces
  let externalSecretsApiMock
  let fakeCustomResourceManifest
  let loggerMock
@@ -26,19 +27,29 @@ describe('getExternalSecretEvents', () => {
  externalSecretsApiMock = sinon.mock()
 
  mockedStream = new Readable()
- mockedStream._read = () => {}
- mockedStream.abort = () => {}
+ mockedStream._read = () => { }
 
  externalSecretsApiMock.get = sinon.stub()
- kubeClientMock = sinon.mock()
- kubeClientMock.apis = sinon.mock()
- kubeClientMock.apis['kubernetes-client.io'] = sinon.mock()
- kubeClientMock.apis['kubernetes-client.io'].v1 = sinon.mock()
- kubeClientMock.apis['kubernetes-client.io'].v1.watch = sinon.mock()
- kubeClientMock.apis['kubernetes-client.io']
- .v1.watch.externalsecrets = sinon.mock()
- kubeClientMock.apis['kubernetes-client.io']
- .v1.watch.externalsecrets.getStream = () => mockedStream
+
+ kubeClientMock = {
+ apis: {
+ 'kubernetes-client.io': {
+ v1: {
+ watch: {
+ namespaces: () => {
+ return {
+ externalsecrets: {
+ getStream: () => mockedStream
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ watchedNamespaces = []
 
  loggerMock = sinon.mock()
  loggerMock.info = sinon.stub()
@@ -60,6 +71,7 @@ describe('getExternalSecretEvents', () => {
 
  const events = getExternalSecretEvents({
  kubeClient: kubeClientMock,
+ watchedNamespaces: watchedNamespaces,
  customResourceManifest: fakeCustomResourceManifest,
  logger: loggerMock,
  watchTimeout: 5000