fix!: update crd to apiextensions.k8s.io/v1 (#681)

- Drops support for `secretDescriptor` in CRD validation (its been deprecated forever, wasn't really validated before either but seemed to work regardless)
- Updates to apiextensions.k8s.io/v1 for CRD
- Updated validation schema to comply with structural requirements 😄 
- If the schema is missing anything that was used those fields will be dropped as soon as the CRD is updated! (setting `preserveUnknownFields: true` is not allowed)

This _shouldn't_ be a breaking change for users as long as the validation schema includes all the possible props. I've gone thru the backends specOptions and keyOptions and I believe I've caught them all.. (assuming no one uses `secretDescriptor`)

Drops support for kubernetes versions <1.16

BREAKING CHANGE: Drops support for kubernetes versions <1.16. This _shouldn't_ be a breaking change if you have followed earlier deprecation's (like using `spec` instead of `secretDescriptor`. The updated CRD complies with the new structural validation and should validate all fields, any fields missing in the validation will be dropped from your ExternalSecret resource.

Author: Flydiverny

charts/kubernetes-external-secrets/README.md

@@ -13,7 +13,7 @@ See below for [Helm V2 considerations](#helm-v2-considerations) when installing
 
 ## Prerequisites
 
-* Kubernetes 1.12+
+* Kubernetes 1.16+
 
 ## Installing the Chart
 

charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: externalsecrets.kubernetes-client.io
@@ -8,77 +8,77 @@ metadata:
     app.kubernetes.io/managed-by: helm
 spec:
   group: kubernetes-client.io
-  version: v1
   scope: Namespaced
 
-  names:
-    shortNames:
-      - es
-    kind: ExternalSecret
-    plural: externalsecrets
-    singular: externalsecret
-
-  additionalPrinterColumns:
-    - JSONPath: .status.lastSync
-      name: Last Sync
-      type: date
-    - JSONPath: .status.status
-      name: status
-      type: string
-    - JSONPath: .metadata.creationTimestamp
-      name: Age
-      type: date
+  preserveUnknownFields: false
 
-  validation:
-    openAPIV3Schema:
-      required:
-        - spec
-      properties:
-        spec:
+  versions:
+    - name: v1
+      served: true
+      storage: true
+      subresources:
+        status: {}
+      schema:
+        openAPIV3Schema:
+          required:
+            - spec
           type: object
           properties:
-            template:
-              description: Template which will be deep merged without mutating
-                any existing fields. into generated secret, can be used to
-                set for example annotations or type on the generated secret
+            spec:
               type: object
-            controllerId:
-              description: The ID of controller instance that manages this ExternalSecret.
-                This is needed in case there is more than a KES controller instances within the cluster.
-              type: string
-            backendType:
-              type: string
-              enum:
-                - secretsManager
-                - systemManager
-                - vault
-                - azureKeyVault
-                - gcpSecretsManager
-                - alicloudSecretsManager
-                - ibmcloudSecretsManager
-            vaultRole:
-              type: string
-            vaultMountPoint:
-              type: string
-            kvVersion:
-              description: Vault K/V version either 1 or 2, default = 2
-              type: integer
-              minimum: 1
-              maximum: 2
-            keyVaultName:
-              type: string
-            key:
-              type: string
-            dataFrom:
-              type: array
-              items:
-                type: string
-            data:
-              type: array
-              items:
-                type: object
-                anyOf:
-                  - properties:
+              properties:
+                controllerId:
+                  description: The ID of controller instance that manages this ExternalSecret.
+                    This is needed in case there is more than a KES controller instances within the cluster.
+                  type: string
+                type:
+                  type: string
+                  description: >-
+                    DEPRECATED: Use spec.template.type
+                template:
+                  description: Template which will be deep merged without mutating
+                    any existing fields. into generated secret, can be used to
+                    set for example annotations or type on the generated secret
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                backendType:
+                  description: >-
+                    Determines which backend to use for fetching secrets
+                  type: string
+                  enum:
+                    - secretsManager
+                    - systemManager
+                    - vault
+                    - azureKeyVault
+                    - gcpSecretsManager
+                    - alicloudSecretsManager
+                    - ibmcloudSecretsManager
+                vaultRole:
+                  description: >-
+                    Used by: vault
+                  type: string
+                vaultMountPoint:
+                  description: >-
+                    Used by: vault
+                  type: string
+                kvVersion:
+                  description: Vault K/V version either 1 or 2, default = 2
+                  type: integer
+                  minimum: 1
+                  maximum: 2
+                keyVaultName:
+                  description: >-
+                    Used by: azureKeyVault
+                  type: string
+                dataFrom:
+                  type: array
+                  items:
+                    type: string
+                data:
+                  type: array
+                  items:
+                    type: object
+                    properties:
                       key:
                         description: Secret key in backend
                         type: string
@@ -87,60 +87,122 @@ spec:
                         type: string
                       property:
                         description: Property to extract if secret in backend is a JSON object
+                        type: string
                       isBinary:
                         description: >-
                           Whether the backend secret shall be treated as binary data
                           represented by a base64-encoded string. You must set this to true
                           for any base64-encoded binary data in the backend - to ensure it
                           is not encoded in base64 again. Default is false.
                         type: boolean
-                    required:
-                      - key
-                      - name
-                  - properties:
                       path:
                         description: >-
                           Path from SSM to scrape secrets
                           This will fetch all secrets and use the key from the secret as variable name
+                        type: string
                       recursive:
-                        description: Allow to recurse thru all child keys on a given path
+                        description: Allow to recurse thru all child keys on a given path, default false
                         type: boolean
-                    required:
-                      - path
-            roleArn:
-              type: string
-          oneOf:
-            - properties:
-                backendType:
-                  enum:
-                    - secretsManager
-                    - systemManager
-            - properties:
-                backendType:
-                  enum:
-                    - vault
-            - properties:
-                backendType:
-                  enum:
-                    - azureKeyVault
-              required:
-                - keyVaultName
-            - properties:
-                backendType:
-                  enum:
-                    - gcpSecretsManager
-            - properties:
-                backendType:
-                  enum:
-                    - alicloudSecretsManager
-            - properties:
-                backendType:
-                  enum:
-                    - ibmcloudSecretsManager
-          anyOf:
-            - required:
-                - data
-            - required:
-                - dataFrom
-  subresources:
-    status: {}
+                      secretType:
+                        description: >-
+                          Used by: ibmcloudSecretsManager
+                          Type of secret - one of username_password, iam_credentials or arbitrary
+                        type: string
+                      version:
+                        description: >-
+                          Used by: gcpSecretsManager
+                        type: string
+                        x-kubernetes-int-or-string: true
+                      versionStage:
+                        description: >-
+                          Used by: alicloudSecretsManager, secretsManager
+                        type: string
+                      versionId:
+                        description: >-
+                          Used by: secretsManager
+                        type: string
+                    oneOf:
+                      - properties:
+                          key:
+                          name:
+                          property:
+                          isBinary:
+                          secretType:
+                        required:
+                          - key
+                          - name
+                      - properties:
+                          path:
+                          recursive:
+                        required:
+                          - path
+                roleArn:
+                  type: string
+                  description: >-
+                    Used by: alicloudSecretsManager, secretsManager, systemManager
+                region:
+                  type: string
+                  description: >-
+                    Used by: secretsManager, systemManager
+                projectId:
+                  type: string
+                  description: >-
+                    Used by: gcpSecretsManager
+              oneOf:
+                - properties:
+                    backendType:
+                      enum:
+                        - secretsManager
+                        - systemManager
+                - properties:
+                    backendType:
+                      enum:
+                        - vault
+                - properties:
+                    backendType:
+                      enum:
+                        - azureKeyVault
+                  required:
+                    - keyVaultName
+                - properties:
+                    backendType:
+                      enum:
+                        - gcpSecretsManager
+                - properties:
+                    backendType:
+                      enum:
+                        - alicloudSecretsManager
+                - properties:
+                    backendType:
+                      enum:
+                        - ibmcloudSecretsManager
+              anyOf:
+                - required:
+                    - data
+                - required:
+                    - dataFrom
+            status:
+              type: object
+              properties:
+                lastSync:
+                  type: string
+                status:
+                  type: string
+      additionalPrinterColumns:
+        - jsonPath: .status.lastSync
+          name: Last Sync
+          type: date
+        - jsonPath: .status.status
+          name: status
+          type: string
+        - jsonPath: .metadata.creationTimestamp
+          name: Age
+          type: date
+
+  names:
+    shortNames:
+      - es
+    kind: ExternalSecret
+    plural: externalsecrets
+    singular: externalsecret
+

e2e/tests/crd.test.js

@@ -16,7 +16,7 @@ describe('CRD', () => {
   it('ensure CRD is managed correctly', async () => {
     const res = await kubeClient
       .apis['apiextensions.k8s.io']
-      .v1beta1
+      .v1
       .customresourcedefinitions(customResourceManifest.metadata.name)
       .get()
 

examples/alicloud-secretsmanager.yaml

@@ -0,0 +1,15 @@
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: alicloud-secretsmanager
+spec:
+  backendType: alicloudSecretsManager
+  # optional: specify role to assume using provided access key ID and access key secret when retrieving the data
+  roleArn: acs:ram::{UID}:role/demo
+  data:
+    - key: hello-credentials1
+      name: password
+    - key: hello-credentials2
+      name: username
+      # Version Stage in Alibaba Cloud KMS Secrets Manager. Optional, default value is ACSCurrent
+      versionStage: ACSCurrent

examples/alicloudsecretsmanager-example.yaml

@@ -1,7 +1,7 @@
 apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
-  name: secretsmanager-example
+  name: aws-secretsmanager
 spec:
   backendType: secretsManager
   # optional: specify role to assume when retrieving the data

examples/secretsmanager-example.yaml examples/aws-secretsmanager.yaml

@@ -0,0 +1,15 @@
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: aws-ssm-path
+spec:
+  backendType: systemManager
+  # optional: specify role to assume when retrieving the data
+  roleArn: arn:aws:iam::123456789012:role/test-role
+  # optional: specify region
+  region: us-east-1
+  data:
+    - key: /foo/name
+      name: fooName
+    - path: /extra-people/
+      recursive: false

examples/aws-ssm-path.yaml

@@ -1,7 +1,7 @@
 apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
-  name: ssm-example
+  name: aws-ssm
 spec:
   backendType: systemManager
   # optional: specify role to assume when retrieving the data