feat: add validation to CRD (#208)

* feat: add validation to CRD
* docs: add deprecation notice
* docs: bump prereq kubernetes version

Author: Flydiverny

README.md

@@ -174,6 +174,17 @@ data:
   password: MTIzNA==
 ```
 
+## Deprecations
+
+A few properties has changed name overtime, we still maintain backwards compatbility with these but they will eventually be removed, and they are not validated using the CRD validation.
+
+| Old                           | New                            |
+| ----------------------------- | ------------------------------ |
+| `secretDescriptor`            | `spec`                         |
+| `spec.type`                   | `spec.template.type`           |
+| `spec.properties`             | `spec.data`                    |
+| `backendType: secretManager`  | `backendType: secretsManager`  |
+
 ## Backends
 
 kubernetes-external-secrets supports AWS Secrets Manager, AWS System Manager, and Hashicorp Vault.
@@ -197,7 +208,7 @@ aws secretsmanager create-secret --region us-west-2 --name hello-service/credent
 We can declare which properties we want from hello-service/credentials:
 
 ```yml
-apiVersion: 'kubernetes-client.io/v1'
+apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
   name: hello-service
@@ -217,7 +228,7 @@ spec:
 alternatively you can use `dataFrom` and get all the values from hello-service/credentials:
 
 ```yml
-apiVersion: 'kubernetes-client.io/v1'
+apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
   name: hello-service
@@ -232,7 +243,7 @@ spec:
 `data` and `dataFrom` can of course be combined, any naming conflicts will use the last defined, with `data` overriding `dataFrom`
 
 ```yml
-apiVersion: 'kubernetes-client.io/v1'
+apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
   name: hello-service

charts/kubernetes-external-secrets/README.md

@@ -11,7 +11,7 @@ $ helm install external-secrets/kubernetes-external-secrets
 
 ## Prerequisites
 
-* Kubernetes 1.7+
+* Kubernetes 1.12+
 
 ## Installing the Chart
 

config/index.js

@@ -4,15 +4,21 @@ const vault = require('node-vault')
 const kube = require('kubernetes-client')
 const KubeRequest = require('kubernetes-client/backends/request')
 const pino = require('pino')
+const yaml = require('js-yaml')
+const fs = require('fs')
+const path = require('path')
 
 const awsConfig = require('./aws-config')
 const envConfig = require('./environment')
 const CustomResourceManager = require('../lib/custom-resource-manager')
-const customResourceManifest = require('../custom-resource-manifest.json')
 const SecretsManagerBackend = require('../lib/backends/secrets-manager-backend')
 const SystemManagerBackend = require('../lib/backends/system-manager-backend')
 const VaultBackend = require('../lib/backends/vault-backend')
 
+// Get document, or throw exception on error
+// eslint-disable-next-line security/detect-non-literal-fs-filename
+const customResourceManifest = yaml.safeLoad(fs.readFileSync(path.resolve(__dirname, '../crd.yaml'), 'utf8'))
+
 const kubeconfig = new kube.KubeConfig()
 kubeconfig.loadFromDefault()
 const kubeBackend = new KubeRequest({ kubeconfig })

crd.yaml

@@ -0,0 +1,76 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: externalsecrets.kubernetes-client.io
+spec:
+  group: kubernetes-client.io
+  version: v1
+  scope: Namespaced
+
+  names:
+    shortNames:
+    - es
+    kind: ExternalSecret
+    plural: externalsecrets
+    singular: externalsecret
+
+  additionalPrinterColumns:
+  - JSONPath: .status.lastSync
+    name: Last Sync
+    type: date
+  - JSONPath: .status.status
+    name: status
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    name: Age
+    type: date
+
+  validation:
+    openAPIV3Schema:
+      properties:
+        spec:
+          type: object
+          properties:
+            template:
+              description: Template which will be deep merged without mutating
+                any existing fields. into generated secret, can be used to
+                set for example annotations or type on the generated secret
+              type: object
+            backendType:
+              type: string
+              enum:
+                - secretsManager
+                - systemManager
+                - vault
+            dataFrom:
+              type: array
+              items:
+                type: string
+            data:
+              type: array
+              items:
+                type: object
+                properties:
+                  key:
+                    description: Secret key in backend
+                    type: string
+                  name:
+                    description: Name set for this key in the generated secret
+                    type: string
+                  property:
+                    description: Property to extract if secret in backend is a JSON object
+                required:
+                  - name
+                  - key
+            roleArn:
+              type: string
+          required:
+            - backendType
+          anyOf:
+            - required:
+              - data
+            - required:
+              - dataFrom
+
+  subresources:
+    status: {}

custom-resource-manifest.json

@@ -0,0 +1,8 @@
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: data-from-example
+spec:
+  backendType: systemManager
+  dataFrom:
+    - /foo/name1

examples/data-from-example.yml

@@ -1,10 +1,11 @@
 apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
-  name: dockerhub-secret
+  name: dockerconfig-example
 spec:
   backendType: secretsManager
-  type: kubernetes.io/dockerconfigjson
+  template:
+    type: kubernetes.io/dockerconfigjson
   data:
     - key: /development/dockerhub
       name: .dockerconfigjson

examples/dockerconfig-example.yml

@@ -1,9 +1,15 @@
-apiVersion: 'kubernetes-client.io/v1'
+apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
   name: hello-service
 spec:
+  template:
+    metadata:
+      annotations:
+        external-secret: 'Yes please!'
   backendType: secretsManager
   data:
     - key: hello-service/password
       name: password
+  dataFrom:
+    - hello-service/secret-envs

examples/hello-service-external-secret.yml

@@ -1,7 +1,7 @@
-apiVersion: 'kubernetes-client.io/v1'
+apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
-  name: demo-service
+  name: secretsmanager-example
 spec:
   backendType: secretsManager
   # optional: specify role to assume when retrieving the data

examples/secretsmanager-example.yaml

@@ -1,7 +1,7 @@
-apiVersion: 'kubernetes-client.io/v1'
+apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
-  name: ssm-secret-key
+  name: ssm-example
 spec:
   backendType: systemManager
   # optional: specify role to assume when retrieving the data

examples/ssm-example.yaml

@@ -1,10 +1,11 @@
 apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
-  name: dockerhub-secret
+  name: tls-secret
 spec:
   backendType: secretsManager
-  type: kubernetes.io/tls
+  template:
+    type: kubernetes.io/tls
   data:
     - key: /development/certificate
       property: crt

examples/tls-example.yml

@@ -75,10 +75,15 @@ class Poller {
    */
   async _createSecretManifest () {
     const spec = this._spec
-    const template = spec.template
+    const template = spec.template || {}
+
+    // spec.type for backwards compat
+    const type = template.type || spec.type || 'Opaque'
+
     const data = await this._backends[spec.backendType]
       .getSecretManifestData({ spec })
-    let secretManifest = {
+
+    const secretManifest = {
       apiVersion: 'v1',
       kind: 'Secret',
       metadata: {
@@ -87,15 +92,11 @@ class Poller {
           this._ownerReference
         ]
       },
-      type: spec.type || 'Opaque',
+      type,
       data
     }
 
-    if (template) {
-      secretManifest = merge(clonedeep(template), secretManifest)
-    }
-
-    return secretManifest
+    return merge(clonedeep(template), secretManifest)
   }
 
   /**

lib/poller.js

@@ -183,12 +183,12 @@ describe('Poller', () => {
       })
     })
 
-    it('creates secret manifest - with type', async () => {
+    it('creates secret manifest - with type (backwards compat)', async () => {
       const poller = pollerFactory({
         type: 'dummy-test-type',
         backendType: 'fakeBackendType',
         name: 'fakeSecretName',
-        properties: [
+        data: [
           'fakePropertyName1',
           'fakePropertyName2'
         ]
@@ -206,7 +206,7 @@ describe('Poller', () => {
           type: 'dummy-test-type',
           backendType: 'fakeBackendType',
           name: 'fakeSecretName',
-          properties: [
+          data: [
             'fakePropertyName1',
             'fakePropertyName2'
           ]
@@ -228,6 +228,32 @@ describe('Poller', () => {
       })
     })
 
+    it('creates secret manifest - with template type (should work with backwards compat type)', async () => {
+      const poller = pollerFactory({
+        template: {
+          type: 'dummy-test-type'
+        },
+        backendType: 'fakeBackendType',
+        name: 'fakeSecretName',
+        data: []
+      })
+
+      backendMock.getSecretManifestData.resolves({})
+
+      const secretManifest = await poller._createSecretManifest()
+
+      expect(secretManifest).deep.equals({
+        apiVersion: 'v1',
+        kind: 'Secret',
+        metadata: {
+          name: 'fakeSecretName',
+          ownerReferences: [getOwnerReference()]
+        },
+        type: 'dummy-test-type',
+        data: {}
+      })
+    })
+
     it('creates secret manifest - with template', async () => {
       const poller = pollerFactory({
         type: 'dummy-test-type',

lib/poller.test.js

@@ -30,6 +30,7 @@
   "dependencies": {
     "aws-sdk": "^2.566.0",
     "express": "^4.17.1",
+    "js-yaml": "^3.13.1",
     "json-stream": "^1.0.0",
     "kubernetes-client": "^8.3.0",
     "lodash.clonedeep": "^4.5.0",