-
Notifications
You must be signed in to change notification settings - Fork 288
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add API types for secrets sync controller #1364
feat: add API types for secrets sync controller #1364
Conversation
Hi @mandreap. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the controller's RBAC, admission policy, and CLI config are required to complete the picture on this API.
secretsstoresynccontroller/config/samples/AzureSpcMultipleSecrets.yaml
Outdated
Show resolved
Hide resolved
secretsstoresynccontroller/config/samples/AzureSpcMultipleSecrets.yaml
Outdated
Show resolved
Hide resolved
secretsstoresynccontroller/config/samples/SecretStoreSecret1.yaml
Outdated
Show resolved
Hide resolved
secretProviderClassName: spc-multiple-secrets # [REQUIRED] name of the SecretProviderClass | ||
serviceAccountName: <workload-identity-sa-name> # [REQUIRED] name of the service account |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aramase this does means you could try to use the same SPC across multiple SAs. That sounds like something that is possible today via the pod mount, but does anyone actually do that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is used when the same SPC needs to be mounted in 2 different pods that have different SA. I don't think it's done explicitly but because the pods already have a SA configured they would just use that as-is.
secretsstoresynccontroller/api/v1alpha1/secretstoresync_types.go
Outdated
Show resolved
Hide resolved
secretsstoresynccontroller/api/v1alpha1/secretstoresync_types.go
Outdated
Show resolved
Hide resolved
secretsstoresynccontroller/api/v1alpha1/secretstoresync_types.go
Outdated
Show resolved
Hide resolved
...tsstoresynccontroller/config/crd/bases/secretsync.secret-sync.x-k8s.io_secretstoresyncs.yaml
Outdated
Show resolved
Hide resolved
/retitle feat: add API for secrets sync |
secretsstoresynccontroller/api/v1alpha1/secretstoresync_types.go
Outdated
Show resolved
Hide resolved
secretsstoresynccontroller/api/v1alpha1/secretstoresync_types.go
Outdated
Show resolved
Hide resolved
secretsstoresynccontroller/api/v1alpha1/secretstoresync_types.go
Outdated
Show resolved
Hide resolved
secretsstoresynccontroller/api/v1alpha1/secretstoresync_types.go
Outdated
Show resolved
Hide resolved
secretProviderClassName: spc-multiple-secrets # [REQUIRED] name of the SecretProviderClass | ||
serviceAccountName: <workload-identity-sa-name> # [REQUIRED] name of the service account |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is used when the same SPC needs to be mounted in 2 different pods that have different SA. I don't think it's done explicitly but because the pods already have a SA configured they would just use that as-is.
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mandreap The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…nto mandrea/secretstoresynccontroller
…nto mandrea/secretstoresynccontroller
…ap/secrets-store-csi-driver into mandrea/secretstoresynccontroller
secretsstoresynccontroller/config/controllers/secretstoresync_controller.go
Show resolved
Hide resolved
secretsstoresynccontroller/api/v1alpha1/secretstoresync_types.go
Outdated
Show resolved
Hide resolved
secretsstoresynccontroller/api/v1alpha1/secretstoresync_types.go
Outdated
Show resolved
Hide resolved
secretsstoresynccontroller/api/v1alpha1/secretstoresync_types.go
Outdated
Show resolved
Hide resolved
secretsstoresynccontroller/api/v1alpha1/secretstoresync_types.go
Outdated
Show resolved
Hide resolved
secretsstoresynccontroller/api/v1alpha1/secretstoresync_types.go
Outdated
Show resolved
Hide resolved
…nto mandrea/secretstoresynccontroller
// +kubebuilder:validation:XValidation:message="Labels should have < 63 characters for both keys and values.",rule="(self.all(x, x.size() < 63 && self[x].size() < 63) == true)" | ||
// +kubebuilder:validation:XValidation:message="Labels should not contain secrets-store.sync.x-k8s.io. This key is reserved for the controller.",rule="(self.all(x, x.contains('secrets-store.sync.x-k8s.io') == false))" | ||
// +optional | ||
Labels map[string]string `json:"labels,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably worth opening an issue for kubebuilder to be able to specify constraints on the value (like maxLength). CRDs can express this but it doesn't seem like kubebuilder can.
secretsstoresynccontroller/api/v1alpha1/secretstoresync_types.go
Outdated
Show resolved
Hide resolved
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Provides the API for the Secret Store Sync Controller.
At the end this feature will:
Special notes for your reviewer:
TODOs: