feat!: drop helm v2 and builtin CRD management (#663)

Signed-off-by: Markus Maga <[email protected]>

Author: Flydiverny

.github/workflows/workflow.yml

@@ -40,18 +40,6 @@ jobs:
   test-e2e:
     runs-on: ubuntu-latest
     name: E2E
-    strategy:
-      matrix:
-        disableCustomResourceManager: ["true", "false"]
-        helmVersion: ["V2", "V3"]
     steps:
       - uses: actions/checkout@v2
-      - uses: azure/setup-helm@v1
-        with:
-          version: v2.17.0
-        if: matrix.helmVersion == 'V2'
-      - name: configure helm v2
-        run: |
-          helm init --client-only
-        if: matrix.helmVersion == 'V2'
-      - run: ./e2e/run-e2e-suite.sh ${{ matrix.disableCustomResourceManager }} ${{ matrix.helmVersion }}
+      - run: ./e2e/run-e2e-suite.sh

README.md

@@ -17,7 +17,6 @@ const PollerFactory = require('../lib/poller-factory')
 const {
   backends,
   kubeClient,
-  customResourceManager,
   customResourceManifest,
   logger,
   metricsPort,
@@ -34,7 +33,8 @@ async function main () {
   logger.info('loading kube specs')
   await kubeClient.loadSpec()
   logger.info('successfully loaded kube specs')
-  await customResourceManager.manageCrd({ customResourceManifest })
+
+  kubeClient.addCustomResourceDefinition(customResourceManifest)
 
   const externalSecretEvents = getExternalSecretEvents({
     kubeClient,

bin/daemon.js

@@ -4,11 +4,9 @@
 
 ## TL;DR;
 
-Assumes you are using Helm V3:
-
 ```bash
 $ helm repo add external-secrets https://external-secrets.github.io/kubernetes-external-secrets/
-$ helm install external-secrets/kubernetes-external-secrets --skip-crds
+$ helm install external-secrets/kubernetes-external-secrets
 ```
 
 See below for [Helm V2 considerations](#helm-v2-considerations) when installing the chart.
@@ -22,39 +20,13 @@ See below for [Helm V2 considerations](#helm-v2-considerations) when installing
 To install the chart with the release named `my-release`:
 
 ```bash
-$ helm install my-release external-secrets/kubernetes-external-secrets --skip-crds
+$ helm install my-release external-secrets/kubernetes-external-secrets
 ```
 
-> **Tip:** A namespace can be specified by the `Helm` option '`--namespace kube-external-secrets`', however know this will not [autocreate a namespace](https://helm.sh/docs/faq/#automatically-creating-namespaces) like in Helm V2. To do that, also add the `--create-namespace` flag.
-
-> **Note**: `--skip-crds` is required in order to ensure the custom resource manager is used and will work for backwards compatibility. In future 4.x releases, this will not be required. See below for how to [disable the custom resource manager](#installing-the-crd) via the chart.
-
 To install the chart with [AWS IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html):
 
 ```bash
-$ helm install my-release external-secrets/kubernetes-external-secrets --skip-crds --set securityContext.fsGroup=65534 --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"='arn:aws:iam::111111111111:role/ROLENAME'
-```
-
-### Installing the CRD
-
-To install the `ExternalSecret` CRD via the chart and disable the custom resource manager, you can omit `--skip-crds` and set `customResourceManagerDisabled`:
-
-```bash
-$ helm install external-secrets/kubernetes-external-secrets --name my-release --set customResourceManagerDisabled=true
-```
-
-### Helm V2 Considerations
-
-For Helm V2, `--skip-crds` is not needed, but `--name` is in order to set the release name:
-
-```bash
-$ helm install external-secrets/kubernetes-external-secrets --name my-release
-```
-
-If you wish to disable the custom resource manager and install the CRD via Helm V2, then `crds.create` must also be set:
-
-```bash
-$ helm install external-secrets/kubernetes-external-secrets --name my-release --set customResourceManagerDisabled=true --set crds.create=true
+$ helm install my-release external-secrets/kubernetes-external-secrets --set securityContext.fsGroup=65534 --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"='arn:aws:iam::111111111111:role/ROLENAME'
 ```
 
 ## Uninstalling the Chart
@@ -71,8 +43,6 @@ The following table lists the configurable parameters of the `kubernetes-externa
 
 | Parameter                                 | Description                                                                                                                       | Default                               |
 | ----------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
-| `crds.create`                             | For Helm V2 installations of the chart to install the CRD, for V3 installations use `--skip-crds` appropriately                   | `false`                               |
-| `customResourceManagerDisabled`           | Disables the custom resource manager, requiring the CRD be installed via the chart or other means                                 | `false`                               |
 | `env.AWS_REGION`                          | Set AWS_REGION in Deployment Pod                                                                                                  | `us-west-2`                           |
 | `env.AWS_INTERMEDIATE_ROLE_ARN`           | Specifies a role to be assumed before assuming role arn specified in external secrets                                             |                                       |
 | `env.LOG_LEVEL`                           | Set the application log level                                                                                                     | `info`                                |
@@ -122,7 +92,6 @@ Specify each parameter using the `--set key=value[,key=value]` argument to `helm
 
 ```bash
 helm install my-release external-secrets/kubernetes-external-secrets \
---set customResourceManagerDisabled=true
 --set env.POLLER_INTERVAL_MILLISECONDS='300000' \
 --set podAnnotations."iam\.amazonaws\.com/role"='Name-Of-IAM-Role-With-SecretManager-Access'
 ```

charts/kubernetes-external-secrets/README.md

@@ -4,8 +4,6 @@ kind: CustomResourceDefinition
 metadata:
   name: externalsecrets.kubernetes-client.io
   annotations:
-    # for helm v2 backwards compatibility
-    helm.sh/hook: crd-install
     # used in e2e testing
     app.kubernetes.io/managed-by: helm
 spec:

charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml

@@ -45,10 +45,6 @@ spec:
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           env:
-          {{- if .Values.customResourceManagerDisabled }}
-          - name: DISABLE_CUSTOM_RESOURCE_MANAGER
-            value: "true"
-          {{- end }}
           {{- range $name, $value := .Values.env }}
           {{- if not (empty $value) }}
           - name: {{ $name | quote }}

charts/kubernetes-external-secrets/templates/crds.yaml

@@ -29,11 +29,6 @@ rules:
   - apiGroups: ["kubernetes-client.io"]
     resources: ["externalsecrets/status"]
     verbs: ["get", "update"]
- {{- if .Values.customResourceManagerDisabled | not }}
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["create"]
-  {{- end }}
   {{- if .Values.customClusterRoles }}
   {{- toYaml .Values.customClusterRoles | nindent 2 }}
   {{- end }}

charts/kubernetes-external-secrets/templates/deployment.yaml

@@ -2,23 +2,15 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
-# Determines whether the Helm chart or kubernetes-external-secrets
-# will handle the ExternalSecret CRD
-customResourceManagerDisabled: false
-
-crds:
-  # only needed for helm v2, leave this disabled for helm v3
-  create: false
-
 # Environment variables to set on deployment pod
 env:
   AWS_REGION: us-west-2
   AWS_DEFAULT_REGION: us-west-2
-  POLLER_INTERVAL_MILLISECONDS: 10000  # Caution, setting this frequency may incur additional charges on some platforms
+  POLLER_INTERVAL_MILLISECONDS: 10000 # Caution, setting this frequency may incur additional charges on some platforms
   WATCH_TIMEOUT: 60000
-  WATCHED_NAMESPACES: '' # Comma separated list of namespaces, empty or unset means ALL namespaces.
+  WATCHED_NAMESPACES: "" # Comma separated list of namespaces, empty or unset means ALL namespaces.
   LOG_LEVEL: info
-  LOG_MESSAGE_KEY: 'msg'
+  LOG_MESSAGE_KEY: "msg"
   # Print logs level as string ("info") rather than integer (30)
   # USE_HUMAN_READABLE_LOG_LEVELS: true
   METRICS_PORT: 3001
@@ -103,7 +95,8 @@ securityContext:
   # Required for use of IRSA, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
   # fsGroup: 65534
 
-resources: {}
+resources:
+  {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following

charts/kubernetes-external-secrets/templates/rbac.yaml

@@ -38,7 +38,6 @@ const enforceNamespaceAnnotation = 'ENFORCE_NAMESPACE_ANNOTATIONS' in process.en
 
 const metricsPort = process.env.METRICS_PORT || 3001
 
-const customResourceManagerDisabled = 'DISABLE_CUSTOM_RESOURCE_MANAGER' in process.env
 const watchTimeout = process.env.WATCH_TIMEOUT ? parseInt(process.env.WATCH_TIMEOUT) : 60000
 
 // A comma-separated list of watched namespaces. If set, only ExternalSecrets in those namespaces will be handled.
@@ -66,7 +65,6 @@ module.exports = {
   enforceNamespaceAnnotation,
   pollingDisabled,
   logLevel,
-  customResourceManagerDisabled,
   useHumanReadableLogLevels,
   logMessageKey,
   watchTimeout,

charts/kubernetes-external-secrets/values.yaml

@@ -13,7 +13,6 @@ const azureConfig = require('./azure-config')
 const alicloudConfig = require('./alicloud-config')
 const gcpConfig = require('./gcp-config')
 const envConfig = require('./environment')
-const CustomResourceManager = require('../lib/custom-resource-manager')
 const SecretsManagerBackend = require('../lib/backends/secrets-manager-backend')
 const SystemManagerBackend = require('../lib/backends/system-manager-backend')
 const VaultBackend = require('../lib/backends/vault-backend')
@@ -24,7 +23,6 @@ const AliCloudSecretsManagerBackend = require('../lib/backends/alicloud-secrets-
 // Get document, or throw exception on error
 // eslint-disable-next-line security/detect-non-literal-fs-filename
 const customResourceManifest = yaml.safeLoad(fs.readFileSync(path.resolve(__dirname, '../charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml'), 'utf8'))
-customResourceManifest.metadata.annotations['app.kubernetes.io/managed-by'] = 'custom-resource-manager'
 
 const kubeconfig = new kube.KubeConfig()
 kubeconfig.loadFromDefault()
@@ -46,12 +44,6 @@ const logger = pino({
   timestamp: () => `,"message_time":"${new Date(Date.now()).toISOString()}"`
 })
 
-const customResourceManager = new CustomResourceManager({
-  kubeClient,
-  logger,
-  disabled: envConfig.customResourceManagerDisabled
-})
-
 const secretsManagerBackend = new SecretsManagerBackend({
   clientFactory: awsConfig.secretsManagerFactory,
   assumeRole: awsConfig.assumeRole,
@@ -122,7 +114,6 @@ backends.secretManager = secretsManagerBackend
 module.exports = {
   awsConfig,
   backends,
-  customResourceManager,
   customResourceManifest,
   ...envConfig,
   kubeClient,

config/environment.js

@@ -14,9 +14,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-DISABLE_CUSTOM_RESOURCE_MANAGER=${1:-true}
-HELM_VERSION=${2:-V3}
-
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 KIND_LOGGING=""
 if ! [ -z "$DEBUG" ]; then
@@ -72,25 +69,9 @@ kubectl apply -f ${DIR}/localstack.deployment.yaml
 
 CHART_DIR="$(dirname "$DIR")/charts/kubernetes-external-secrets"
 HELM_TEMPLATE_ARGS="e2e ${CHART_DIR}"
-HELM_TEMPLATE_EXTRA_ARGS="--include-crds --set customResourceManagerDisabled=true"
-E2E_EXTRA_ARGS="--env=DISABLE_CUSTOM_RESOURCE_MANAGER=true"
-if [[ "$HELM_VERSION" == "V3" ]]; then
-  if [[ "$DISABLE_CUSTOM_RESOURCE_MANAGER" == "false" ]]; then
-    HELM_TEMPLATE_EXTRA_ARGS="--skip-crds"
-    E2E_EXTRA_ARGS=""
-  fi
-else
-  HELM_TEMPLATE_ARGS="${CHART_DIR} --name e2e"
-  if [[ "$DISABLE_CUSTOM_RESOURCE_MANAGER" == "true" ]]; then
-    HELM_TEMPLATE_EXTRA_ARGS="--set crds.create=true --set customResourceManagerDisabled=true"
-  else
-    HELM_TEMPLATE_EXTRA_ARGS=""
-    E2E_EXTRA_ARGS=""
-  fi
-fi
 
 helm template ${HELM_TEMPLATE_ARGS} \
-  ${HELM_TEMPLATE_EXTRA_ARGS} \
+  --include-crds \
   --set image.repository=external-secrets \
   --set image.tag=test \
   --set env.LOG_LEVEL=debug \
@@ -132,7 +113,6 @@ kubectl run \
   --env="AWS_DEFAULT_REGION=us-east-1" \
   --env="AWS_REGION=us-east-1" \
   --env="LOCALSTACK_STS_URL=http://sts" \
-  ${E2E_EXTRA_ARGS} \
   --generator=run-pod/v1 \
   --overrides='{ "apiVersion": "v1", "spec":{"serviceAccountName": "external-secrets-e2e"}}' \
   e2e --image=external-secrets-e2e:test

config/index.js

@@ -5,8 +5,7 @@ const { expect } = require('chai')
 
 const {
   kubeClient,
-  customResourceManifest,
-  customResourceManagerDisabled
+  customResourceManifest
 } = require('../../config')
 
 const {
@@ -21,11 +20,7 @@ describe('CRD', () => {
       .customresourcedefinitions(customResourceManifest.metadata.name)
       .get()
 
-    let managedBy = 'custom-resource-manager'
-    if (customResourceManagerDisabled) {
-      managedBy = 'helm'
-    }
-
+    const managedBy = 'helm'
     expect(res).to.not.equal(undefined)
     expect(res.statusCode).to.equal(200)
     expect(res.body.metadata.annotations['app.kubernetes.io/managed-by']).to.equal(managedBy)