.travis.yml

@@ -21,3 +21,4 @@ install: npm install
 script:
 - npm test
 - npm run test-e2e
+- helm lint charts/kubernetes-external-secrets

CHANGELOG.md

@@ -2,6 +2,16 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [2.2.1](https://github.com/godaddy/kubernetes-external-secrets/compare/2.2.0...2.2.1) (2019-12-06)
+
+
+### Bug Fixes
+
+* bump pino and sub dependency flatstr, fixes [#218](https://github.com/godaddy/kubernetes-external-secrets/issues/218) ([#219](https://github.com/godaddy/kubernetes-external-secrets/issues/219)) ([db3491b](https://github.com/godaddy/kubernetes-external-secrets/commit/db3491b))
+* **chart:** remove one of the duplicate securityContext ([#222](https://github.com/godaddy/kubernetes-external-secrets/issues/222)) ([2b54f34](https://github.com/godaddy/kubernetes-external-secrets/commit/2b54f34))
+* **kv-backend:** Add empty keyOptions for dataFrom case. ([#221](https://github.com/godaddy/kubernetes-external-secrets/issues/221)) ([8e838ee](https://github.com/godaddy/kubernetes-external-secrets/commit/8e838ee))
+* do not skew binary data ([#244](https://github.com/godaddy/kubernetes-external-secrets/issues/244)) ([01e0ca2](https://github.com/godaddy/kubernetes-external-secrets/commit/01e0ca2))
+
 ## [2.2.0](https://github.com/godaddy/kubernetes-external-secrets/compare/2.1.0...2.2.0) (2019-11-14)
 
 

README.md

@@ -304,6 +304,25 @@ spec:
     property: api-key
 ```
 
+If Vault uses a certificate issued by a self-signed CA you will need to provide that certificate:
+
+```sh
+# Create secret with CA
+kubectl create secret generic vault-ca --from-file=./ca.pem
+```
+
+```yml
+# values.yaml
+env:
+  VAULT_ADDR: https://vault.domain.tld
+  NODE_EXTRA_CA_CERTS: "/usr/local/share/ca-certificates/ca.pem"
+
+filesFromSecret:
+  certificate-authority:
+    secret: vault-ca
+    mountPath: /usr/local/share/ca-certificates
+ ```
+
 ## Metrics
 
 kubernetes-external-secrets exposes the following metrics over a prometheus endpoint:
@@ -350,5 +369,5 @@ npm run local
 Add secrets using the AWS cli (example)
 
 ```sh
- aws --endpoint-url=http://localhost:4584 secretsmanager create-secret --name hello-service/password --secret-string "1234"
+AWS_ACCESS_KEY_ID=foobar AWS_SECRET_ACCESS_KEY=foobar aws --region=us-west-2 --endpoint-url=http://localhost:4584 secretsmanager create-secret --name hello-service/password --secret-string "1234"
 ```

charts/kubernetes-external-secrets/README.md

@@ -63,6 +63,7 @@ The following table lists the configurable parameters of the `kubernetes-externa
 | `serviceAccount.name`                | Service account to be used.                                  | automatically generated                                 |
 | `serviceAccount.annotations`         | Annotations to be added to service account                   | `nil`                                                   |
 | `podAnnotations`                     | Annotations to be added to pods                              | `{}`                                                    |
+| `podLabels`                          | Additional labels to be added to pods                        | `{}`                                                    |
 | `replicaCount`                       | Number of replicas                                           | `1`                                                     |
 | `nodeSelector`                       | node labels for pod assignment                               | `{}`                                                    |
 | `tolerations`                        | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]`                                                    |

charts/kubernetes-external-secrets/templates/deployment.yaml

@@ -18,15 +18,15 @@ spec:
       labels:
         app.kubernetes.io/name: {{ include "kubernetes-external-secrets.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
+      {{- if .Values.podLabels }}
+          {{- toYaml .Values.podLabels | nindent 8 }}
+      {{- end }}
       annotations:
       {{- if .Values.podAnnotations }}
         {{- toYaml .Values.podAnnotations | nindent 8 }}
       {{- end }}
     spec:
       serviceAccountName: {{ template "kubernetes-external-secrets.serviceAccountName" . }}
-      {{- if .Values.securityContext }}
-      securityContext: {{ toYaml .Values.securityContext | nindent 8 }}
-      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

charts/kubernetes-external-secrets/values.yaml

@@ -49,6 +49,7 @@ nameOverride: ""
 fullnameOverride: ""
 
 podAnnotations: {}
+podLabels: {}
 
 securityContext: {}
   # fsGroup: 65534

crd.yaml

@@ -42,6 +42,12 @@ spec:
                 - secretsManager
                 - systemManager
                 - vault
+            vaultRole:
+              type: string
+            vaultMountPoint:
+              type: string
+            key:
+              type: string
             dataFrom:
               type: array
               items:
@@ -64,8 +70,20 @@ spec:
                   - key
             roleArn:
               type: string
-          required:
-            - backendType
+          oneOf:
+            - properties:
+                backendType:
+                  enum:
+                    - secretsManager
+                    - systemManager
+            - properties:
+                backendType:
+                  enum:
+                    - vault
+              required:
+                - vaultRole
+                - vaultMountPoint
+                - key
           anyOf:
             - required:
               - data

e2e/tests/crd.test.js

@@ -27,22 +27,24 @@ describe('CRD', () => {
     kubeClient
       .apis[customResourceManifest.spec.group]
       .v1.namespaces('default')[customResourceManifest.spec.names.plural]
-      .post({ body: {
-        apiVersion: 'kubernetes-client.io/v1',
-        kind: 'ExternalSecret',
-        metadata: {
-          name: `e2e-test-validation-${uuid}`
-        },
-        secretDescriptor: {
-          backendType: 'systemManager',
-          data: [
-            {
-              key: `/e2e/${uuid}/name`,
-              name: 'name'
-            }
-          ]
+      .post({
+        body: {
+          apiVersion: 'kubernetes-client.io/v1',
+          kind: 'ExternalSecret',
+          metadata: {
+            name: `e2e-test-validation-${uuid}`
+          },
+          secretDescriptor: {
+            backendType: 'systemManager',
+            data: [
+              {
+                key: `/e2e/${uuid}/name`,
+                name: 'name'
+              }
+            ]
+          }
         }
-      } })
+      })
       .catch(err => expect(err).to.be.an('error'))
   })
 })

e2e/tests/secrets-manager.test.js

@@ -31,28 +31,30 @@ describe('secretsmanager', async () => {
     result = await kubeClient
       .apis[customResourceManifest.spec.group]
       .v1.namespaces('default')[customResourceManifest.spec.names.plural]
-      .post({ body: {
-        apiVersion: 'kubernetes-client.io/v1',
-        kind: 'ExternalSecret',
-        metadata: {
-          name: `e2e-secretmanager-${uuid}`
-        },
-        spec: {
-          backendType: 'secretsManager',
-          data: [
-            {
-              key: `e2e/${uuid}/credentials`,
-              property: 'password',
-              name: 'password'
-            },
-            {
-              key: `e2e/${uuid}/credentials`,
-              property: 'username',
-              name: 'username'
-            }
-          ]
+      .post({
+        body: {
+          apiVersion: 'kubernetes-client.io/v1',
+          kind: 'ExternalSecret',
+          metadata: {
+            name: `e2e-secretmanager-${uuid}`
+          },
+          spec: {
+            backendType: 'secretsManager',
+            data: [
+              {
+                key: `e2e/${uuid}/credentials`,
+                property: 'password',
+                name: 'password'
+              },
+              {
+                key: `e2e/${uuid}/credentials`,
+                property: 'username',
+                name: 'username'
+              }
+            ]
+          }
         }
-      } })
+      })
 
     expect(result).to.not.equal(undefined)
     expect(result.statusCode).to.equal(201)
@@ -86,29 +88,31 @@ describe('secretsmanager', async () => {
     result = await kubeClient
       .apis[customResourceManifest.spec.group]
       .v1.namespaces('default')[customResourceManifest.spec.names.plural]
-      .post({ body: {
-        apiVersion: 'kubernetes-client.io/v1',
-        kind: 'ExternalSecret',
-        metadata: {
-          name: `e2e-secretmanager-tls-${uuid}`
-        },
-        spec: {
-          backendType: 'secretsManager',
-          type: 'kubernetes.io/tls',
-          data: [
-            {
-              key: `e2e/${uuid}/tls/cert`,
-              property: 'crt',
-              name: 'tls.crt'
-            },
-            {
-              key: `e2e/${uuid}/tls/cert`,
-              property: 'key',
-              name: 'tls.key'
-            }
-          ]
+      .post({
+        body: {
+          apiVersion: 'kubernetes-client.io/v1',
+          kind: 'ExternalSecret',
+          metadata: {
+            name: `e2e-secretmanager-tls-${uuid}`
+          },
+          spec: {
+            backendType: 'secretsManager',
+            type: 'kubernetes.io/tls',
+            data: [
+              {
+                key: `e2e/${uuid}/tls/cert`,
+                property: 'crt',
+                name: 'tls.crt'
+              },
+              {
+                key: `e2e/${uuid}/tls/cert`,
+                property: 'key',
+                name: 'tls.key'
+              }
+            ]
+          }
         }
-      } })
+      })
 
     expect(result).to.not.equal(undefined)
     expect(result.statusCode).to.equal(201)
@@ -156,31 +160,33 @@ describe('secretsmanager', async () => {
       result = await kubeClient
         .apis[customResourceManifest.spec.group]
         .v1.namespaces('default')[customResourceManifest.spec.names.plural]
-        .post({ body: {
-          apiVersion: 'kubernetes-client.io/v1',
-          kind: 'ExternalSecret',
-          metadata: {
-            name: `e2e-secretmanager-permitted-tls-${uuid}`
-          },
-          spec: {
-            backendType: 'secretsManager',
-            type: 'kubernetes.io/tls',
-            // this should not be allowed
-            roleArn: 'let-me-be-root',
-            data: [
-              {
-                key: `e2e/${uuid}/tls/permitted`,
-                property: 'crt',
-                name: 'tls.crt'
-              },
-              {
-                key: `e2e/${uuid}/tls/permitted`,
-                property: 'key',
-                name: 'tls.key'
-              }
-            ]
+        .post({
+          body: {
+            apiVersion: 'kubernetes-client.io/v1',
+            kind: 'ExternalSecret',
+            metadata: {
+              name: `e2e-secretmanager-permitted-tls-${uuid}`
+            },
+            spec: {
+              backendType: 'secretsManager',
+              type: 'kubernetes.io/tls',
+              // this should not be allowed
+              roleArn: 'let-me-be-root',
+              data: [
+                {
+                  key: `e2e/${uuid}/tls/permitted`,
+                  property: 'crt',
+                  name: 'tls.crt'
+                },
+                {
+                  key: `e2e/${uuid}/tls/permitted`,
+                  property: 'key',
+                  name: 'tls.key'
+                }
+              ]
+            }
           }
-        } })
+        })
 
       expect(result).to.not.equal(undefined)
       expect(result.statusCode).to.equal(201)