mirror of
				https://github.com/1Password/onepassword-operator.git
				synced 2025-10-25 08:50:45 +00:00 
			
		
		
		
	Compare commits
	
		
			64 Commits
		
	
	
		
			v1.9.1
			...
			6baef1b9cf
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|   | 6baef1b9cf | ||
|   | 7e08158d2f | ||
|   | 976909c438 | ||
|   | e61ba49018 | ||
|   | 6492b3cf34 | ||
|   | 9d08bcc864 | ||
|   | f7f5462133 | ||
|   | a1cbd40f9e | ||
|   | d75a33d524 | ||
|   | b1b6c97a88 | ||
|   | 0c3caf88b6 | ||
|   | 24edff22d4 | ||
|   | 8c893270f4 | ||
|   | d5f1044571 | ||
|   | b40f27b052 | ||
|   | cd03a651ad | ||
|   | 9aac824066 | ||
|   | 05ad484bd6 | ||
|   | 71b29d5fe6 | ||
|   | c082f9562e | ||
|   | 57478247cf | ||
|   | 4836140f66 | ||
|   | 2b36f16940 | ||
|   | bb97134e10 | ||
|   | 904d269e7b | ||
|   | cf9b267eaf | ||
|   | 4d64beab86 | ||
|   | ca051a08cf | ||
|   | 22a7c8f586 | ||
|   | 2003d13788 | ||
|   | 7187f41ef1 | ||
|   | d0b11c70f0 | ||
|   | 9825cb57c9 | ||
|   | 6bb6088353 | ||
|   | 5a56fd3330 | ||
|   | dcd7eefac0 | ||
|   | 29b7ed7899 | ||
|   | 331e8d7bfb | ||
|   | c144bd3d01 | ||
|   | 299689fe13 | ||
|   | 882d8e951d | ||
|   | 7885ba649b | ||
|   | 600adf2670 | ||
|   | 88b2dfbf67 | ||
|   | e167db2357 | ||
|   | 91a9bb6d63 | ||
|   | 116c8c92a7 | ||
|   | 4307e9d713 | ||
|   | 1759055edd | ||
|   | c1e9934088 | ||
|   | 19b629f2ee | ||
|   | 174f952691 | ||
|   | f8704223c8 | ||
|   | 5630d788a2 | ||
|   | d504e5ef35 | ||
|   | 7d2596a4aa | ||
|   | f6b267726d | ||
|   | bf8c1291b2 | ||
|   | cd504ec7df | ||
|   | cabc020cc6 | ||
|   | 4deb27b853 | ||
|   | 75e24e9e47 | ||
|   | 583b8251d8 | ||
|   | 285066139f | 
							
								
								
									
										25
									
								
								.devcontainer/devcontainer.json
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								.devcontainer/devcontainer.json
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | |||||||
|  | { | ||||||
|  |   "name": "Kubebuilder DevContainer", | ||||||
|  |   "image": "docker.io/golang:1.24", | ||||||
|  |   "features": { | ||||||
|  |     "ghcr.io/devcontainers/features/docker-in-docker:2": {}, | ||||||
|  |     "ghcr.io/devcontainers/features/git:1": {} | ||||||
|  |   }, | ||||||
|  |  | ||||||
|  |   "runArgs": ["--network=host"], | ||||||
|  |  | ||||||
|  |   "customizations": { | ||||||
|  |     "vscode": { | ||||||
|  |       "settings": { | ||||||
|  |         "terminal.integrated.shell.linux": "/bin/bash" | ||||||
|  |       }, | ||||||
|  |       "extensions": [ | ||||||
|  |         "ms-kubernetes-tools.vscode-kubernetes-tools", | ||||||
|  |         "ms-azuretools.vscode-docker" | ||||||
|  |       ] | ||||||
|  |     } | ||||||
|  |   }, | ||||||
|  |  | ||||||
|  |   "onCreateCommand": "bash .devcontainer/post-install.sh" | ||||||
|  | } | ||||||
|  |  | ||||||
							
								
								
									
										23
									
								
								.devcontainer/post-install.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								.devcontainer/post-install.sh
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | |||||||
|  | #!/bin/bash | ||||||
|  | set -x | ||||||
|  |  | ||||||
|  | curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64 | ||||||
|  | chmod +x ./kind | ||||||
|  | mv ./kind /usr/local/bin/kind | ||||||
|  |  | ||||||
|  | curl -L -o kubebuilder https://go.kubebuilder.io/dl/latest/linux/amd64 | ||||||
|  | chmod +x kubebuilder | ||||||
|  | mv kubebuilder /usr/local/bin/ | ||||||
|  |  | ||||||
|  | KUBECTL_VERSION=$(curl -L -s https://dl.k8s.io/release/stable.txt) | ||||||
|  | curl -LO "https://dl.k8s.io/release/$KUBECTL_VERSION/bin/linux/amd64/kubectl" | ||||||
|  | chmod +x kubectl | ||||||
|  | mv kubectl /usr/local/bin/kubectl | ||||||
|  |  | ||||||
|  | docker network create -d=bridge --subnet=172.19.0.0/24 kind | ||||||
|  |  | ||||||
|  | kind version | ||||||
|  | kubebuilder version | ||||||
|  | docker --version | ||||||
|  | go version | ||||||
|  | kubectl version --client | ||||||
							
								
								
									
										25
									
								
								.github/workflows/build.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										25
									
								
								.github/workflows/build.yml
									
									
									
									
										vendored
									
									
								
							| @@ -1,21 +1,22 @@ | |||||||
| name: Build and Test | name: Build | ||||||
| on: [push, pull_request] |  | ||||||
|  | on: | ||||||
|  |   push: | ||||||
|  |     branches: [main] | ||||||
|  |   pull_request: | ||||||
|  |  | ||||||
| jobs: | jobs: | ||||||
|   build: |   build: | ||||||
|     name: Build |     name: Run on Ubuntu | ||||||
|     runs-on: ubuntu-latest |     runs-on: ubuntu-latest | ||||||
|     steps: |     steps: | ||||||
|     - name: Set up Go 1.x |     - name: Clone the code | ||||||
|       uses: actions/setup-go@v4 |  | ||||||
|       with: |  | ||||||
|         go-version: ^1.21 |  | ||||||
|  |  | ||||||
|     - name: Check out code into the Go module directory |  | ||||||
|       uses: actions/checkout@v4 |       uses: actions/checkout@v4 | ||||||
|  |  | ||||||
|  |     - name: Setup Go | ||||||
|  |       uses: actions/setup-go@v5 | ||||||
|  |       with: | ||||||
|  |         go-version-file: go.mod | ||||||
|  |  | ||||||
|     - name: Build |     - name: Build | ||||||
|       run: go build -v ./... |       run: go build -v ./... | ||||||
|  |  | ||||||
|     - name: Test |  | ||||||
|       run: make test |  | ||||||
|   | |||||||
							
								
								
									
										24
									
								
								.github/workflows/lint.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								.github/workflows/lint.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | |||||||
|  | name: Lint | ||||||
|  |  | ||||||
|  | on: | ||||||
|  |   push: | ||||||
|  |     branches: [main] | ||||||
|  |   pull_request: | ||||||
|  |  | ||||||
|  | jobs: | ||||||
|  |   lint: | ||||||
|  |     name: Run on Ubuntu | ||||||
|  |     runs-on: ubuntu-latest | ||||||
|  |     steps: | ||||||
|  |       - name: Clone the code | ||||||
|  |         uses: actions/checkout@v4 | ||||||
|  |  | ||||||
|  |       - name: Setup Go | ||||||
|  |         uses: actions/setup-go@v5 | ||||||
|  |         with: | ||||||
|  |           go-version-file: go.mod | ||||||
|  |  | ||||||
|  |       - name: Run linter | ||||||
|  |         uses: golangci/golangci-lint-action@v8 | ||||||
|  |         with: | ||||||
|  |           version: v2.2 | ||||||
							
								
								
									
										47
									
								
								.github/workflows/test-e2e.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										47
									
								
								.github/workflows/test-e2e.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,47 @@ | |||||||
|  | name: Test E2E | ||||||
|  |  | ||||||
|  | on: | ||||||
|  |   pull_request: | ||||||
|  |     types: [opened, synchronize, reopened] | ||||||
|  |     branches: ['**']   # run for PRs targeting any branch (main and others) | ||||||
|  |  | ||||||
|  | concurrency: | ||||||
|  |   group: e2e-${{ github.event.pull_request.head.ref }} | ||||||
|  |   cancel-in-progress: true # cancel previous job runs for the same branch | ||||||
|  |  | ||||||
|  | jobs: | ||||||
|  |   e2e-test: | ||||||
|  |     runs-on: ubuntu-latest | ||||||
|  |     steps: | ||||||
|  |       - name: Checkout code | ||||||
|  |         uses: actions/checkout@v4 | ||||||
|  |  | ||||||
|  |       - name: Set up Go | ||||||
|  |         uses: actions/setup-go@v5 | ||||||
|  |         with: | ||||||
|  |           go-version-file: go.mod | ||||||
|  |  | ||||||
|  |       - name: Install dependencies | ||||||
|  |         run: go mod tidy | ||||||
|  |  | ||||||
|  |       - name: Create kind cluster | ||||||
|  |         uses: helm/kind-action@v1 | ||||||
|  |         with: | ||||||
|  |           cluster_name: onepassword-operator-test-e2e | ||||||
|  |  | ||||||
|  |       - name: Install 1Password CLI | ||||||
|  |         uses: 1password/install-cli-action@v2 | ||||||
|  |         with: | ||||||
|  |           version: 2.32.0 | ||||||
|  |  | ||||||
|  |       - name: Create '1password-credentials.json' file | ||||||
|  |         env: | ||||||
|  |           OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }} | ||||||
|  |         run: | | ||||||
|  |           echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json | ||||||
|  |  | ||||||
|  |       - name: Run E2E tests | ||||||
|  |         run: make test-e2e | ||||||
|  |         env: | ||||||
|  |           OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} | ||||||
|  |           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | ||||||
							
								
								
									
										24
									
								
								.github/workflows/test.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								.github/workflows/test.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | |||||||
|  | name: Tests | ||||||
|  |  | ||||||
|  | on: | ||||||
|  |   push: | ||||||
|  |     branches: [main] | ||||||
|  |   pull_request: | ||||||
|  |  | ||||||
|  | jobs: | ||||||
|  |   test: | ||||||
|  |     name: Run on Ubuntu | ||||||
|  |     runs-on: ubuntu-latest | ||||||
|  |     steps: | ||||||
|  |       - name: Clone the code | ||||||
|  |         uses: actions/checkout@v4 | ||||||
|  |  | ||||||
|  |       - name: Setup Go | ||||||
|  |         uses: actions/setup-go@v5 | ||||||
|  |         with: | ||||||
|  |           go-version-file: go.mod | ||||||
|  |  | ||||||
|  |       - name: Running Tests | ||||||
|  |         run: | | ||||||
|  |           go mod tidy | ||||||
|  |           make test | ||||||
							
								
								
									
										9
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										9
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @@ -8,14 +8,16 @@ | |||||||
| bin | bin | ||||||
| testbin/* | testbin/* | ||||||
|  |  | ||||||
| # Test binary, build with `go test -c` | # Test binary, built with `go test -c` | ||||||
| *.test | *.test | ||||||
|  |  | ||||||
| # Output of the go coverage tool, specifically when used with LiteIDE | # Output of the go coverage tool, specifically when used with LiteIDE | ||||||
| *.out | *.out | ||||||
|  |  | ||||||
| # Kubernetes Generated files - skip generated files, except for vendored files | # Go workspace file | ||||||
|  | go.work | ||||||
|  |  | ||||||
|  | # Kubernetes Generated files - skip generated files, except for vendored files | ||||||
| !vendor/**/zz_generated.* | !vendor/**/zz_generated.* | ||||||
|  |  | ||||||
| # editor and IDE paraphernalia | # editor and IDE paraphernalia | ||||||
| @@ -23,3 +25,6 @@ testbin/* | |||||||
| *.swp | *.swp | ||||||
| *.swo | *.swo | ||||||
| *~ | *~ | ||||||
|  |  | ||||||
|  | 1password-credentials.json | ||||||
|  | op-session | ||||||
|   | |||||||
							
								
								
									
										52
									
								
								.golangci.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										52
									
								
								.golangci.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,52 @@ | |||||||
|  | version: "2" | ||||||
|  | run: | ||||||
|  |   allow-parallel-runners: true | ||||||
|  | linters: | ||||||
|  |   default: none | ||||||
|  |   enable: | ||||||
|  |     - copyloopvar | ||||||
|  |     - dupl | ||||||
|  |     - errcheck | ||||||
|  |     - ginkgolinter | ||||||
|  |     - goconst | ||||||
|  |     - gocyclo | ||||||
|  |     - govet | ||||||
|  |     - ineffassign | ||||||
|  |     - lll | ||||||
|  |     - misspell | ||||||
|  |     - nakedret | ||||||
|  |     - prealloc | ||||||
|  |     - revive | ||||||
|  |     - staticcheck | ||||||
|  |     - unconvert | ||||||
|  |     - unparam | ||||||
|  |     - unused | ||||||
|  |   settings: | ||||||
|  |     revive: | ||||||
|  |       rules: | ||||||
|  |         - name: comment-spacings | ||||||
|  |         - name: import-shadowing | ||||||
|  |   exclusions: | ||||||
|  |     generated: lax | ||||||
|  |     rules: | ||||||
|  |       - linters: | ||||||
|  |           - lll | ||||||
|  |         path: api/* | ||||||
|  |       - linters: | ||||||
|  |           - dupl | ||||||
|  |           - lll | ||||||
|  |         path: internal/* | ||||||
|  |     paths: | ||||||
|  |       - third_party$ | ||||||
|  |       - builtin$ | ||||||
|  |       - examples$ | ||||||
|  | formatters: | ||||||
|  |   enable: | ||||||
|  |     - gofmt | ||||||
|  |     - goimports | ||||||
|  |   exclusions: | ||||||
|  |     generated: lax | ||||||
|  |     paths: | ||||||
|  |       - third_party$ | ||||||
|  |       - builtin$ | ||||||
|  |       - examples$ | ||||||
| @@ -4,7 +4,17 @@ Thank you for your interest in contributing to the 1Password Kubernetes Operator | |||||||
|  |  | ||||||
| ## Testing | ## Testing | ||||||
|  |  | ||||||
| - For functional testing, run the local version of the operator. From the project root: | All contributions must include tests where applicable. | ||||||
|  |  | ||||||
|  | - **Unit tests** for pure Go logic. | ||||||
|  | - **Integration tests** for controller/reconciler logic using envtest. | ||||||
|  | - **E2E tests** for full cluster behavior with kind. | ||||||
|  |  | ||||||
|  | 👉 See the [Testing Guide](docs/testing.md) for details on when to use each, how to run them locally, and how they are run in CI.  | ||||||
|  |  | ||||||
|  | ---- | ||||||
|  |  | ||||||
|  | For functional testing, run the local version of the operator. From the project root: | ||||||
|  |  | ||||||
|   ```sh |   ```sh | ||||||
|   # Go to the K8s environment (e.g. minikube) |   # Go to the K8s environment (e.g. minikube) | ||||||
| @@ -20,6 +30,12 @@ Thank you for your interest in contributing to the 1Password Kubernetes Operator | |||||||
|   make undeploy |   make undeploy | ||||||
|   ``` |   ``` | ||||||
|  |  | ||||||
|  | - After making changes to the code: | ||||||
|  | 1. Rebuild the Docker image by running `make docker-build` | ||||||
|  | 2. Restart deployment `make restart` | ||||||
|  |  | ||||||
|  | ---- | ||||||
|  |  | ||||||
| - For testing the changes made to the `OnePasswordItem` Custom Resource Definition (CRD), you need to re-generate the object: | - For testing the changes made to the `OnePasswordItem` Custom Resource Definition (CRD), you need to re-generate the object: | ||||||
|   ```sh |   ```sh | ||||||
|   make manifests |   make manifests | ||||||
|   | |||||||
| @@ -1,5 +1,5 @@ | |||||||
| # Build the manager binary | # Build the manager binary | ||||||
| FROM golang:1.24 as builder | FROM golang:1.24 AS builder | ||||||
| ARG TARGETOS | ARG TARGETOS | ||||||
| ARG TARGETARCH | ARG TARGETARCH | ||||||
|  |  | ||||||
| @@ -23,11 +23,13 @@ COPY version/ version/ | |||||||
| # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO | # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO | ||||||
| # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, | # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, | ||||||
| # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. | # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. | ||||||
| RUN CGO_ENABLED=0 \ | RUN --mount=type=cache,target=/go/pkg/mod \ | ||||||
|  |     --mount=type=cache,target=/root/.cache/go-build \ | ||||||
|  |     CGO_ENABLED=0 \ | ||||||
|     GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \ |     GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \ | ||||||
|     go build \ |     go build \ | ||||||
|     -ldflags "-X \"github.com/1Password/onepassword-operator/version.Version=$operator_version\"" \ |     -ldflags "-X \"github.com/1Password/onepassword-operator/version.Version=$operator_version\"" \ | ||||||
|     -a -o manager cmd/main.go |     -o manager cmd/main.go | ||||||
|  |  | ||||||
| # Use distroless as minimal base image to package the manager binary | # Use distroless as minimal base image to package the manager binary | ||||||
| # Refer to https://github.com/GoogleContainerTools/distroless for more details | # Refer to https://github.com/GoogleContainerTools/distroless for more details | ||||||
|   | |||||||
							
								
								
									
										163
									
								
								Makefile
									
									
									
									
									
								
							
							
						
						
									
										163
									
								
								Makefile
									
									
									
									
									
								
							| @@ -7,6 +7,10 @@ export MAIN_BRANCH ?= main | |||||||
| # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) | # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) | ||||||
| VERSION ?= 1.9.1 | VERSION ?= 1.9.1 | ||||||
|  |  | ||||||
|  | # DEPLOYMENT_NAME defines Kubernetes deployment name for the operator. | ||||||
|  | # It should be the same as in 'config/manager/manager.yaml' | ||||||
|  | DEPLOYMENT_NAME ?= onepassword-connect-operator | ||||||
|  |  | ||||||
| # CHANNELS define the bundle channels used in the bundle. | # CHANNELS define the bundle channels used in the bundle. | ||||||
| # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") | # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") | ||||||
| # To re-generate a bundle for other specific channels without changing the standard setup, you can: | # To re-generate a bundle for other specific channels without changing the standard setup, you can: | ||||||
| @@ -50,12 +54,10 @@ endif | |||||||
|  |  | ||||||
| # Set the Operator SDK version to use. By default, what is installed on the system is used. | # Set the Operator SDK version to use. By default, what is installed on the system is used. | ||||||
| # This is useful for CI or a project to utilize a specific version of the operator-sdk toolkit. | # This is useful for CI or a project to utilize a specific version of the operator-sdk toolkit. | ||||||
| OPERATOR_SDK_VERSION ?= v1.34.1 | OPERATOR_SDK_VERSION ?= v1.41.1 | ||||||
|  |  | ||||||
| # Image URL to use all building/pushing image targets | # Image URL to use all building/pushing image targets | ||||||
| IMG ?= 1password/onepassword-operator:latest | IMG ?= 1password/onepassword-operator:latest | ||||||
| # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. |  | ||||||
| ENVTEST_K8S_VERSION = 1.29.1 |  | ||||||
|  |  | ||||||
| # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) | # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) | ||||||
| ifeq (,$(shell go env GOBIN)) | ifeq (,$(shell go env GOBIN)) | ||||||
| @@ -82,7 +84,7 @@ all: build | |||||||
|  |  | ||||||
| # The help target prints out all targets with their descriptions organized | # The help target prints out all targets with their descriptions organized | ||||||
| # beneath their categories. The categories are represented by '##@' and the | # beneath their categories. The categories are represented by '##@' and the | ||||||
| # target descriptions by '##'. The awk commands is responsible for reading the | # target descriptions by '##'. The awk command is responsible for reading the | ||||||
| # entire set of makefiles included in this invocation, looking for lines of the | # entire set of makefiles included in this invocation, looking for lines of the | ||||||
| # file as xyz: ## something, and then pretty-format the target and help. Then, | # file as xyz: ## something, and then pretty-format the target and help. Then, | ||||||
| # if there's a line with ##@ something, that gets pretty-printed as a category. | # if there's a line with ##@ something, that gets pretty-printed as a category. | ||||||
| @@ -114,8 +116,49 @@ vet: ## Run go vet against code. | |||||||
| 	go vet ./... | 	go vet ./... | ||||||
|  |  | ||||||
| .PHONY: test | .PHONY: test | ||||||
| test: manifests generate fmt vet envtest ## Run tests. | test: manifests generate fmt vet setup-envtest ## Run tests. | ||||||
| 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out | 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test $(shell go list ./... | grep -v /test/e2e) -coverprofile cover.out | ||||||
|  |  | ||||||
|  | # TODO(user): To use a different vendor for e2e tests, modify the setup under 'tests/e2e'. | ||||||
|  | # The default setup assumes Kind is pre-installed and builds/loads the Manager Docker image locally. | ||||||
|  | # CertManager is installed by default; skip with: | ||||||
|  | # - CERT_MANAGER_INSTALL_SKIP=true | ||||||
|  | KIND_CLUSTER ?= onepassword-operator-test-e2e | ||||||
|  |  | ||||||
|  | .PHONY: setup-test-e2e | ||||||
|  | setup-test-e2e: ## Set up a Kind cluster for e2e tests if it does not exist | ||||||
|  | 	@command -v $(KIND) >/dev/null 2>&1 || { \ | ||||||
|  | 		echo "Kind is not installed. Please install Kind manually."; \ | ||||||
|  | 		exit 1; \ | ||||||
|  | 	} | ||||||
|  | 	@case "$$($(KIND) get clusters)" in \ | ||||||
|  | 		*"$(KIND_CLUSTER)"*) \ | ||||||
|  | 			echo "Kind cluster '$(KIND_CLUSTER)' already exists. Skipping creation." ;; \ | ||||||
|  | 		*) \ | ||||||
|  | 			echo "Creating Kind cluster '$(KIND_CLUSTER)'..."; \ | ||||||
|  | 			$(KIND) create cluster --name $(KIND_CLUSTER) ;; \ | ||||||
|  | 	esac | ||||||
|  |  | ||||||
|  | .PHONY: test-e2e | ||||||
|  | test-e2e: setup-test-e2e manifests generate fmt vet ## Run the e2e tests. Expected an isolated environment using Kind. | ||||||
|  | 	KIND_CLUSTER=$(KIND_CLUSTER) go test ./test/e2e/ -v -ginkgo.v | ||||||
|  | 	$(MAKE) cleanup-test-e2e | ||||||
|  |  | ||||||
|  | .PHONY: cleanup-test-e2e | ||||||
|  | cleanup-test-e2e: ## Tear down the Kind cluster used for e2e tests | ||||||
|  | 	@$(KIND) delete cluster --name $(KIND_CLUSTER) | ||||||
|  |  | ||||||
|  | .PHONY: lint | ||||||
|  | lint: golangci-lint ## Run golangci-lint linter | ||||||
|  | 	$(GOLANGCI_LINT) run | ||||||
|  |  | ||||||
|  | .PHONY: lint-fix | ||||||
|  | lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes | ||||||
|  | 	$(GOLANGCI_LINT) run --fix | ||||||
|  |  | ||||||
|  | .PHONY: lint-config | ||||||
|  | lint-config: golangci-lint ## Verify golangci-lint linter configuration | ||||||
|  | 	$(GOLANGCI_LINT) config verify | ||||||
|  |  | ||||||
| ##@ Build | ##@ Build | ||||||
|  |  | ||||||
| @@ -127,30 +170,39 @@ build: manifests generate fmt vet ## Build manager binary. | |||||||
| run: manifests generate fmt vet ## Run a controller from your host. | run: manifests generate fmt vet ## Run a controller from your host. | ||||||
| 	go run ./cmd/main.go | 	go run ./cmd/main.go | ||||||
|  |  | ||||||
| # If you wish built the manager image targeting other platforms you can use the --platform flag. | # If you wish to build the manager image targeting other platforms you can use the --platform flag. | ||||||
| # (i.e. docker build --platform linux/arm64 ). However, you must enable docker buildKit for it. | # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it. | ||||||
| # More info: https://docs.docker.com/develop/develop-images/build_enhancements/ | # More info: https://docs.docker.com/develop/develop-images/build_enhancements/ | ||||||
| .PHONY: docker-build | .PHONY: docker-build | ||||||
| docker-build: test ## Build docker image with the manager. | docker-build: ## Build docker image with the manager. | ||||||
| 	$(CONTAINER_TOOL) build -t ${IMG} . | 	DOCKER_BUILDKIT=1 $(CONTAINER_TOOL) build -t ${IMG} . | ||||||
|  |  | ||||||
| .PHONY: docker-push | .PHONY: docker-push | ||||||
| docker-push: ## Push docker image with the manager. | docker-push: ## Push docker image with the manager. | ||||||
| 	$(CONTAINER_TOOL) push ${IMG} | 	$(CONTAINER_TOOL) push ${IMG} | ||||||
|  |  | ||||||
| # PLATFORMS defines the target platforms for  the manager image be build to provide support to multiple | # PLATFORMS defines the target platforms for the manager image be built to provide support to multiple | ||||||
| # architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to: | # architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to: | ||||||
| # - able to use docker buildx . More info: https://docs.docker.com/build/buildx/ | # - be able to use docker buildx. More info: https://docs.docker.com/build/buildx/ | ||||||
| # - have enable BuildKit, More info: https://docs.docker.com/develop/develop-images/build_enhancements/ | # - have enabled BuildKit. More info: https://docs.docker.com/develop/develop-images/build_enhancements/ | ||||||
| # - be able to push the image for your registry (i.e. if you do not inform a valid value via IMG=<myregistry/image:<tag>> then the export will fail) | # - be able to push the image to your registry (i.e. if you do not set a valid value via IMG=<myregistry/image:<tag>> then the export will fail) | ||||||
| # To properly provided solutions that supports more than one platform you should use this option. | # To adequately provide solutions that are compatible with multiple platforms, you should consider using this option. | ||||||
| PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le | PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le | ||||||
| .PHONY: docker-buildx | .PHONY: docker-buildx | ||||||
| docker-buildx: ## Build and push docker image for the manager for cross-platform support | docker-buildx: ## Build and push docker image for the manager for cross-platform support | ||||||
| 	- $(CONTAINER_TOOL) buildx create --name project-v3-builder | 	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile | ||||||
| 	$(CONTAINER_TOOL) buildx use project-v3-builder | 	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross | ||||||
| 	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile . | 	- $(CONTAINER_TOOL) buildx create --name onepassword-operator-builder | ||||||
| 	- $(CONTAINER_TOOL) buildx rm project-v3-builder | 	$(CONTAINER_TOOL) buildx use onepassword-operator-builder | ||||||
|  | 	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross . | ||||||
|  | 	- $(CONTAINER_TOOL) buildx rm onepassword-operator-builder | ||||||
|  | 	rm Dockerfile.cross | ||||||
|  |  | ||||||
|  | .PHONY: build-installer | ||||||
|  | build-installer: manifests generate kustomize ## Generate a consolidated YAML with CRDs and deployment. | ||||||
|  | 	mkdir -p dist | ||||||
|  | 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} | ||||||
|  | 	$(KUSTOMIZE) build config/default > dist/install.yaml | ||||||
|  |  | ||||||
| ##@ Deployment | ##@ Deployment | ||||||
|  |  | ||||||
| @@ -176,10 +228,14 @@ deploy: manifests kustomize set-namespace ## Deploy controller to the K8s cluste | |||||||
| 	$(KUSTOMIZE) build config/default | $(KUBECTL) apply -f - | 	$(KUSTOMIZE) build config/default | $(KUBECTL) apply -f - | ||||||
|  |  | ||||||
| .PHONY: undeploy | .PHONY: undeploy | ||||||
| undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. | undeploy: kustomize ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. | ||||||
| 	$(KUSTOMIZE) build config/default | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f - | 	$(KUSTOMIZE) build config/default | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f - | ||||||
|  |  | ||||||
| ##@ Build Dependencies | .PHONY: restart | ||||||
|  | restart: ## Restarts deployment so that the operator picks up changes in the deployment configuration. | ||||||
|  | 	$(KUBECTL) rollout restart deployment $(DEPLOYMENT_NAME) | ||||||
|  |  | ||||||
|  | ##@ Dependencies | ||||||
|  |  | ||||||
| ## Location to install dependencies to | ## Location to install dependencies to | ||||||
| LOCALBIN ?= $(shell pwd)/bin | LOCALBIN ?= $(shell pwd)/bin | ||||||
| @@ -188,33 +244,64 @@ $(LOCALBIN): | |||||||
|  |  | ||||||
| ## Tool Binaries | ## Tool Binaries | ||||||
| KUBECTL ?= kubectl | KUBECTL ?= kubectl | ||||||
|  | KIND ?= kind | ||||||
| KUSTOMIZE ?= $(LOCALBIN)/kustomize | KUSTOMIZE ?= $(LOCALBIN)/kustomize | ||||||
| CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen | CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen | ||||||
| ENVTEST ?= $(LOCALBIN)/setup-envtest | ENVTEST ?= $(LOCALBIN)/setup-envtest | ||||||
|  | GOLANGCI_LINT = $(LOCALBIN)/golangci-lint | ||||||
|  |  | ||||||
| ## Tool Versions | ## Tool Versions | ||||||
| KUSTOMIZE_VERSION ?= v5.3.0 | KUSTOMIZE_VERSION ?= v5.6.0 | ||||||
| CONTROLLER_TOOLS_VERSION ?= v0.14.0 | CONTROLLER_TOOLS_VERSION ?= v0.18.0 | ||||||
|  | # ENVTEST_VERSION is the version of controller-runtime release branch to fetch the envtest setup script (i.e. release-0.20) | ||||||
|  | ENVTEST_VERSION := $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}') | ||||||
|  | # ENVTEST_K8S_VERSION is the version of Kubernetes to use for setting up ENVTEST binaries (i.e. 1.31) | ||||||
|  | ENVTEST_K8S_VERSION := $(shell go list -m -f "{{ .Version }}" k8s.io/api | awk -F'[v.]' '{printf "1.%d", $$3}') | ||||||
|  | GOLANGCI_LINT_VERSION ?= v2.2.0 | ||||||
|  |  | ||||||
| .PHONY: kustomize | .PHONY: kustomize | ||||||
| kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading. | kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. | ||||||
| $(KUSTOMIZE): $(LOCALBIN) | $(KUSTOMIZE): $(LOCALBIN) | ||||||
| 	@if test -x $(LOCALBIN)/kustomize && ! $(LOCALBIN)/kustomize version | grep -q $(KUSTOMIZE_VERSION); then \ | 	$(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v5,$(KUSTOMIZE_VERSION)) | ||||||
| 		echo "$(LOCALBIN)/kustomize version is not expected $(KUSTOMIZE_VERSION). Removing it before installing."; \ |  | ||||||
| 		rm -rf $(LOCALBIN)/kustomize; \ |  | ||||||
| 	fi |  | ||||||
| 	test -s $(LOCALBIN)/kustomize || GOBIN=$(LOCALBIN) GO111MODULE=on go install sigs.k8s.io/kustomize/kustomize/v5@$(KUSTOMIZE_VERSION) |  | ||||||
|  |  | ||||||
| .PHONY: controller-gen | .PHONY: controller-gen | ||||||
| controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. If wrong version is installed, it will be overwritten. | controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. | ||||||
| $(CONTROLLER_GEN): $(LOCALBIN) | $(CONTROLLER_GEN): $(LOCALBIN) | ||||||
| 	test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ | 	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen,$(CONTROLLER_TOOLS_VERSION)) | ||||||
| 	GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) |  | ||||||
|  | .PHONY: setup-envtest | ||||||
|  | setup-envtest: envtest ## Download the binaries required for ENVTEST in the local bin directory. | ||||||
|  | 	@echo "Setting up envtest binaries for Kubernetes version $(ENVTEST_K8S_VERSION)..." | ||||||
|  | 	@$(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path || { \ | ||||||
|  | 		echo "Error: Failed to set up envtest binaries for version $(ENVTEST_K8S_VERSION)."; \ | ||||||
|  | 		exit 1; \ | ||||||
|  | 	} | ||||||
|  |  | ||||||
| .PHONY: envtest | .PHONY: envtest | ||||||
| envtest: $(ENVTEST) ## Download envtest-setup locally if necessary. | envtest: $(ENVTEST) ## Download setup-envtest locally if necessary. | ||||||
| $(ENVTEST): $(LOCALBIN) | $(ENVTEST): $(LOCALBIN) | ||||||
| 	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest | 	$(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest,$(ENVTEST_VERSION)) | ||||||
|  |  | ||||||
|  | .PHONY: golangci-lint | ||||||
|  | golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary. | ||||||
|  | $(GOLANGCI_LINT): $(LOCALBIN) | ||||||
|  | 	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/v2/cmd/golangci-lint,$(GOLANGCI_LINT_VERSION)) | ||||||
|  |  | ||||||
|  | # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist | ||||||
|  | # $1 - target path with name of binary | ||||||
|  | # $2 - package url which can be installed | ||||||
|  | # $3 - specific version of package | ||||||
|  | define go-install-tool | ||||||
|  | @[ -f "$(1)-$(3)" ] || { \ | ||||||
|  | set -e; \ | ||||||
|  | package=$(2)@$(3) ;\ | ||||||
|  | echo "Downloading $${package}" ;\ | ||||||
|  | rm -f $(1) || true ;\ | ||||||
|  | GOBIN=$(LOCALBIN) go install $${package} ;\ | ||||||
|  | mv $(1) $(1)-$(3) ;\ | ||||||
|  | } ;\ | ||||||
|  | ln -sf $(1)-$(3) $(1) | ||||||
|  | endef | ||||||
|  |  | ||||||
| .PHONY: operator-sdk | .PHONY: operator-sdk | ||||||
| OPERATOR_SDK ?= $(LOCALBIN)/operator-sdk | OPERATOR_SDK ?= $(LOCALBIN)/operator-sdk | ||||||
| @@ -242,14 +329,14 @@ bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metada | |||||||
|  |  | ||||||
| .PHONY: bundle-build | .PHONY: bundle-build | ||||||
| bundle-build: ## Build the bundle image. | bundle-build: ## Build the bundle image. | ||||||
| 	docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . | 	$(CONTAINER_TOOL) build -f bundle.Dockerfile -t $(BUNDLE_IMG) . | ||||||
|  |  | ||||||
| .PHONY: bundle-push | .PHONY: bundle-push | ||||||
| bundle-push: ## Push the bundle image. | bundle-push: ## Push the bundle image. | ||||||
| 	$(MAKE) docker-push IMG=$(BUNDLE_IMG) | 	$(MAKE) docker-push IMG=$(BUNDLE_IMG) | ||||||
|  |  | ||||||
| .PHONY: opm | .PHONY: opm | ||||||
| OPM = ./bin/opm | OPM = $(LOCALBIN)/opm | ||||||
| opm: ## Download opm locally if necessary. | opm: ## Download opm locally if necessary. | ||||||
| ifeq (,$(wildcard $(OPM))) | ifeq (,$(wildcard $(OPM))) | ||||||
| ifeq (,$(shell which opm 2>/dev/null)) | ifeq (,$(shell which opm 2>/dev/null)) | ||||||
| @@ -257,7 +344,7 @@ ifeq (,$(shell which opm 2>/dev/null)) | |||||||
| 	set -e ;\ | 	set -e ;\ | ||||||
| 	mkdir -p $(dir $(OPM)) ;\ | 	mkdir -p $(dir $(OPM)) ;\ | ||||||
| 	OS=$(shell go env GOOS) && ARCH=$(shell go env GOARCH) && \ | 	OS=$(shell go env GOOS) && ARCH=$(shell go env GOARCH) && \ | ||||||
| 	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$${OS}-$${ARCH}-opm ;\ | 	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.55.0/$${OS}-$${ARCH}-opm ;\ | ||||||
| 	chmod +x $(OPM) ;\ | 	chmod +x $(OPM) ;\ | ||||||
| 	} | 	} | ||||||
| else | else | ||||||
| @@ -282,7 +369,7 @@ endif | |||||||
| # https://github.com/operator-framework/community-operators/blob/7f1438c/docs/packaging-operator.md#updating-your-existing-operator | # https://github.com/operator-framework/community-operators/blob/7f1438c/docs/packaging-operator.md#updating-your-existing-operator | ||||||
| .PHONY: catalog-build | .PHONY: catalog-build | ||||||
| catalog-build: opm ## Build a catalog image. | catalog-build: opm ## Build a catalog image. | ||||||
| 	$(OPM) index add --container-tool docker --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT) | 	$(OPM) index add --container-tool $(CONTAINER_TOOL) --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT) | ||||||
|  |  | ||||||
| # Push the catalog image. | # Push the catalog image. | ||||||
| .PHONY: catalog-push | .PHONY: catalog-push | ||||||
|   | |||||||
| @@ -67,8 +67,8 @@ type OnePasswordItemStatus struct { | |||||||
| 	Conditions []OnePasswordItemCondition `json:"conditions"` | 	Conditions []OnePasswordItemCondition `json:"conditions"` | ||||||
| } | } | ||||||
|  |  | ||||||
| //+kubebuilder:object:root=true | // +kubebuilder:object:root=true | ||||||
| //+kubebuilder:subresource:status | // +kubebuilder:subresource:status | ||||||
|  |  | ||||||
| // OnePasswordItem is the Schema for the onepassworditems API | // OnePasswordItem is the Schema for the onepassworditems API | ||||||
| type OnePasswordItem struct { | type OnePasswordItem struct { | ||||||
| @@ -81,7 +81,7 @@ type OnePasswordItem struct { | |||||||
| 	Status OnePasswordItemStatus `json:"status,omitempty"` | 	Status OnePasswordItemStatus `json:"status,omitempty"` | ||||||
| } | } | ||||||
|  |  | ||||||
| //+kubebuilder:object:root=true | // +kubebuilder:object:root=true | ||||||
|  |  | ||||||
| // OnePasswordItemList contains a list of OnePasswordItem | // OnePasswordItemList contains a list of OnePasswordItem | ||||||
| type OnePasswordItemList struct { | type OnePasswordItemList struct { | ||||||
|   | |||||||
							
								
								
									
										161
									
								
								cmd/main.go
									
									
									
									
									
								
							
							
						
						
									
										161
									
								
								cmd/main.go
									
									
									
									
									
								
							| @@ -26,10 +26,12 @@ package main | |||||||
|  |  | ||||||
| import ( | import ( | ||||||
| 	"context" | 	"context" | ||||||
|  | 	"crypto/tls" | ||||||
| 	"errors" | 	"errors" | ||||||
| 	"flag" | 	"flag" | ||||||
| 	"fmt" | 	"fmt" | ||||||
| 	"os" | 	"os" | ||||||
|  | 	"path/filepath" | ||||||
| 	"regexp" | 	"regexp" | ||||||
| 	"runtime" | 	"runtime" | ||||||
| 	"strconv" | 	"strconv" | ||||||
| @@ -46,9 +48,12 @@ import ( | |||||||
| 	"k8s.io/client-go/rest" | 	"k8s.io/client-go/rest" | ||||||
| 	ctrl "sigs.k8s.io/controller-runtime" | 	ctrl "sigs.k8s.io/controller-runtime" | ||||||
| 	"sigs.k8s.io/controller-runtime/pkg/cache" | 	"sigs.k8s.io/controller-runtime/pkg/cache" | ||||||
|  | 	"sigs.k8s.io/controller-runtime/pkg/certwatcher" | ||||||
| 	"sigs.k8s.io/controller-runtime/pkg/healthz" | 	"sigs.k8s.io/controller-runtime/pkg/healthz" | ||||||
| 	"sigs.k8s.io/controller-runtime/pkg/log/zap" | 	"sigs.k8s.io/controller-runtime/pkg/log/zap" | ||||||
|  | 	"sigs.k8s.io/controller-runtime/pkg/metrics/filters" | ||||||
| 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" | 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" | ||||||
|  | 	"sigs.k8s.io/controller-runtime/pkg/webhook" | ||||||
|  |  | ||||||
| 	onepasswordcomv1 "github.com/1Password/onepassword-operator/api/v1" | 	onepasswordcomv1 "github.com/1Password/onepassword-operator/api/v1" | ||||||
| 	"github.com/1Password/onepassword-operator/internal/controller" | 	"github.com/1Password/onepassword-operator/internal/controller" | ||||||
| @@ -56,7 +61,7 @@ import ( | |||||||
| 	opclient "github.com/1Password/onepassword-operator/pkg/onepassword/client" | 	opclient "github.com/1Password/onepassword-operator/pkg/onepassword/client" | ||||||
| 	"github.com/1Password/onepassword-operator/pkg/utils" | 	"github.com/1Password/onepassword-operator/pkg/utils" | ||||||
| 	"github.com/1Password/onepassword-operator/version" | 	"github.com/1Password/onepassword-operator/version" | ||||||
| 	//+kubebuilder:scaffold:imports | 	// +kubebuilder:scaffold:imports | ||||||
| ) | ) | ||||||
|  |  | ||||||
| var ( | var ( | ||||||
| @@ -73,13 +78,6 @@ const ( | |||||||
| 	annotationRegExpString = "^operator.1password.io\\/[a-zA-Z\\.]+" | 	annotationRegExpString = "^operator.1password.io\\/[a-zA-Z\\.]+" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| // Change below variables to serve metrics on different host or port. |  | ||||||
| var ( |  | ||||||
| 	metricsHost               = "0.0.0.0" |  | ||||||
| 	metricsPort         int32 = 8383 |  | ||||||
| 	operatorMetricsPort int32 = 8686 |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| func printVersion() { | func printVersion() { | ||||||
| 	setupLog.Info(fmt.Sprintf("Operator Version: %s", version.OperatorVersion)) | 	setupLog.Info(fmt.Sprintf("Operator Version: %s", version.OperatorVersion)) | ||||||
| 	setupLog.Info(fmt.Sprintf("Go Version: %s", runtime.Version())) | 	setupLog.Info(fmt.Sprintf("Go Version: %s", runtime.Version())) | ||||||
| @@ -91,18 +89,36 @@ func init() { | |||||||
| 	utilruntime.Must(clientgoscheme.AddToScheme(scheme)) | 	utilruntime.Must(clientgoscheme.AddToScheme(scheme)) | ||||||
|  |  | ||||||
| 	utilruntime.Must(onepasswordcomv1.AddToScheme(scheme)) | 	utilruntime.Must(onepasswordcomv1.AddToScheme(scheme)) | ||||||
| 	//+kubebuilder:scaffold:scheme | 	// +kubebuilder:scaffold:scheme | ||||||
| } | } | ||||||
|  |  | ||||||
| func main() { | func main() { | ||||||
| 	var metricsAddr string | 	var metricsAddr string | ||||||
|  | 	var metricsCertPath, metricsCertName, metricsCertKey string | ||||||
|  | 	var webhookCertPath, webhookCertName, webhookCertKey string | ||||||
| 	var enableLeaderElection bool | 	var enableLeaderElection bool | ||||||
| 	var probeAddr string | 	var probeAddr string | ||||||
| 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") | 	var secureMetrics bool | ||||||
| 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") | 	var enableHTTP2 bool | ||||||
|  | 	var tlsOpts []func(*tls.Config) | ||||||
|  | 	flag.StringVar(&metricsAddr, "metrics-bind-address", "8080", | ||||||
|  | 		"The address the metrics endpoint binds to. "+ | ||||||
|  | 			"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") | ||||||
|  | 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", | ||||||
|  | 		"The address the probe endpoint binds to.") | ||||||
| 	flag.BoolVar(&enableLeaderElection, "leader-elect", false, | 	flag.BoolVar(&enableLeaderElection, "leader-elect", false, | ||||||
| 		"Enable leader election for controller manager. "+ | 		"Enable leader election for controller manager. "+ | ||||||
| 			"Enabling this will ensure there is only one active controller manager.") | 			"Enabling this will ensure there is only one active controller manager.") | ||||||
|  | 	flag.BoolVar(&secureMetrics, "metrics-secure", true, | ||||||
|  | 		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") | ||||||
|  | 	flag.StringVar(&metricsCertPath, "metrics-cert-path", "", | ||||||
|  | 		"The directory that contains the metrics server certificate.") | ||||||
|  | 	flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", | ||||||
|  | 		"The name of the metrics server certificate file.") | ||||||
|  | 	flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", | ||||||
|  | 		"The name of the metrics server key file.") | ||||||
|  | 	flag.BoolVar(&enableHTTP2, "enable-http2", false, | ||||||
|  | 		"If set, HTTP/2 will be enabled for the metrics") | ||||||
| 	opts := zap.Options{ | 	opts := zap.Options{ | ||||||
| 		Development: true, | 		Development: true, | ||||||
| 	} | 	} | ||||||
| @@ -111,6 +127,21 @@ func main() { | |||||||
|  |  | ||||||
| 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) | 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) | ||||||
|  |  | ||||||
|  | 	// if the enable-http2 flag is false (the default), http/2 should be disabled | ||||||
|  | 	// due to its vulnerabilities. More specifically, disabling http/2 will | ||||||
|  | 	// prevent from being vulnerable to the HTTP/2 Stream Cancelation and | ||||||
|  | 	// Rapid Reset CVEs. For more information see: | ||||||
|  | 	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 | ||||||
|  | 	// - https://github.com/advisories/GHSA-4374-p667-p6c8 | ||||||
|  | 	disableHTTP2 := func(c *tls.Config) { | ||||||
|  | 		setupLog.Info("disabling http/2") | ||||||
|  | 		c.NextProtos = []string{"http/1.1"} | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	if !enableHTTP2 { | ||||||
|  | 		tlsOpts = append(tlsOpts, disableHTTP2) | ||||||
|  | 	} | ||||||
|  |  | ||||||
| 	printVersion() | 	printVersion() | ||||||
|  |  | ||||||
| 	// Create a root context that will be cancelled on termination signals | 	// Create a root context that will be cancelled on termination signals | ||||||
| @@ -128,12 +159,104 @@ func main() { | |||||||
| 		os.Exit(1) | 		os.Exit(1) | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
|  | 	// Create watchers for metrics and webhooks certificates | ||||||
|  | 	var metricsCertWatcher, webhookCertWatcher *certwatcher.CertWatcher | ||||||
|  |  | ||||||
|  | 	// Initial webhook TLS options | ||||||
|  | 	webhookTLSOpts := tlsOpts | ||||||
|  |  | ||||||
|  | 	if len(webhookCertPath) > 0 { | ||||||
|  | 		setupLog.Info("Initializing webhook certificate watcher using provided certificates", | ||||||
|  | 			"webhook-cert-path", webhookCertPath, "webhook-cert-name", webhookCertName, "webhook-cert-key", webhookCertKey) | ||||||
|  |  | ||||||
|  | 		var err error | ||||||
|  | 		webhookCertWatcher, err = certwatcher.New( | ||||||
|  | 			filepath.Join(webhookCertPath, webhookCertName), | ||||||
|  | 			filepath.Join(webhookCertPath, webhookCertKey), | ||||||
|  | 		) | ||||||
|  | 		if err != nil { | ||||||
|  | 			setupLog.Error(err, "Failed to initialize webhook certificate watcher") | ||||||
|  | 			os.Exit(1) | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		webhookTLSOpts = append(webhookTLSOpts, func(config *tls.Config) { | ||||||
|  | 			config.GetCertificate = webhookCertWatcher.GetCertificate | ||||||
|  | 		}) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	webhookServer := webhook.NewServer(webhook.Options{ | ||||||
|  | 		TLSOpts: webhookTLSOpts, | ||||||
|  | 	}) | ||||||
|  |  | ||||||
|  | 	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. | ||||||
|  | 	// More info: | ||||||
|  | 	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.21.0/pkg/metrics/server | ||||||
|  | 	// - https://book.kubebuilder.io/reference/metrics.html | ||||||
|  | 	metricsServerOptions := metricsserver.Options{ | ||||||
|  | 		BindAddress:   metricsAddr, | ||||||
|  | 		SecureServing: secureMetrics, | ||||||
|  | 		// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are | ||||||
|  | 		// not provided, self-signed certificates will be generated by default. This option is not recommended for | ||||||
|  | 		// production environments as self-signed certificates do not offer the same level of trust and security | ||||||
|  | 		// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing | ||||||
|  | 		// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName | ||||||
|  | 		// to provide certificates, ensuring the server communicates using trusted and secure certificates. | ||||||
|  | 		TLSOpts: tlsOpts, | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	if secureMetrics { | ||||||
|  | 		// FilterProvider is used to protect the metrics endpoint with authn/authz. | ||||||
|  | 		// These configurations ensure that only authorized users and service accounts | ||||||
|  | 		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: | ||||||
|  | 		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.0/pkg/metrics/filters#WithAuthenticationAndAuthorization | ||||||
|  | 		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// If the certificate is not specified, controller-runtime will automatically | ||||||
|  | 	// generate self-signed certificates for the metrics server. While convenient for development and testing, | ||||||
|  | 	// this setup is not recommended for production. | ||||||
|  | 	// | ||||||
|  | 	// TODO(user): If you enable certManager, uncomment the following lines: | ||||||
|  | 	// - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates | ||||||
|  | 	// managed by cert-manager for the metrics server. | ||||||
|  | 	// - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. | ||||||
|  | 	if len(metricsCertPath) > 0 { | ||||||
|  | 		setupLog.Info("Initializing metrics certificate watcher using provided certificates", | ||||||
|  | 			"metrics-cert-path", metricsCertPath, "metrics-cert-name", metricsCertName, "metrics-cert-key", metricsCertKey) | ||||||
|  |  | ||||||
|  | 		var err error | ||||||
|  | 		metricsCertWatcher, err = certwatcher.New( | ||||||
|  | 			filepath.Join(metricsCertPath, metricsCertName), | ||||||
|  | 			filepath.Join(metricsCertPath, metricsCertKey), | ||||||
|  | 		) | ||||||
|  | 		if err != nil { | ||||||
|  | 			setupLog.Error(err, "Failed to initialize metrics certificate watcher") | ||||||
|  | 			os.Exit(1) | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { | ||||||
|  | 			config.GetCertificate = metricsCertWatcher.GetCertificate | ||||||
|  | 		}) | ||||||
|  | 	} | ||||||
|  |  | ||||||
| 	options := ctrl.Options{ | 	options := ctrl.Options{ | ||||||
| 		Scheme:                 scheme, | 		Scheme:                 scheme, | ||||||
| 		Metrics:                metricsserver.Options{BindAddress: metricsAddr}, | 		Metrics:                metricsServerOptions, | ||||||
|  | 		WebhookServer:          webhookServer, | ||||||
| 		HealthProbeBindAddress: probeAddr, | 		HealthProbeBindAddress: probeAddr, | ||||||
| 		LeaderElection:         enableLeaderElection, | 		LeaderElection:         enableLeaderElection, | ||||||
| 		LeaderElectionID:       "c26807fd.onepassword.com", | 		LeaderElectionID:       "c26807fd.onepassword.com", | ||||||
|  | 		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily | ||||||
|  | 		// when the Manager ends. This requires the binary to immediately end when the | ||||||
|  | 		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly | ||||||
|  | 		// speeds up voluntary leader transitions as the new leader don't have to wait | ||||||
|  | 		// LeaseDuration time first. | ||||||
|  | 		// | ||||||
|  | 		// In the default scaffold provided, the program ends immediately after | ||||||
|  | 		// the manager stops, so would be fine to enable this option. However, | ||||||
|  | 		// if you are doing or is intended to do any operation such as perform cleanups | ||||||
|  | 		// after the manager stops then its usage might be unsafe. | ||||||
|  | 		// LeaderElectionReleaseOnCancel: true, | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	// Add support for MultiNamespace set in WATCH_NAMESPACE (e.g ns1,ns2) | 	// Add support for MultiNamespace set in WATCH_NAMESPACE (e.g ns1,ns2) | ||||||
| @@ -184,14 +307,14 @@ func main() { | |||||||
| 		setupLog.Error(err, "unable to create controller", "controller", "Deployment") | 		setupLog.Error(err, "unable to create controller", "controller", "Deployment") | ||||||
| 		os.Exit(1) | 		os.Exit(1) | ||||||
| 	} | 	} | ||||||
| 	//+kubebuilder:scaffold:builder | 	// +kubebuilder:scaffold:builder | ||||||
|  |  | ||||||
| 	//Setup 1PasswordConnect | 	// Setup 1PasswordConnect | ||||||
| 	if shouldManageConnect() { | 	if shouldManageConnect() { | ||||||
| 		setupLog.Info("Automated Connect Management Enabled") | 		setupLog.Info("Automated Connect Management Enabled") | ||||||
| 		go func(ctx context.Context) { | 		go func(ctx context.Context) { | ||||||
| 			connectStarted := false | 			connectStarted := false | ||||||
| 			for connectStarted == false { | 			for !connectStarted { | ||||||
| 				err := op.SetupConnect(ctx, mgr.GetClient(), deploymentNamespace) | 				err := op.SetupConnect(ctx, mgr.GetClient(), deploymentNamespace) | ||||||
| 				// Cache Not Started is an acceptable error. Retry until cache is started. | 				// Cache Not Started is an acceptable error. Retry until cache is started. | ||||||
| 				if err != nil && !errors.Is(err, &cache.ErrCacheNotStarted{}) { | 				if err != nil && !errors.Is(err, &cache.ErrCacheNotStarted{}) { | ||||||
| @@ -226,6 +349,14 @@ func main() { | |||||||
| 		} | 		} | ||||||
| 	}(ctx) | 	}(ctx) | ||||||
|  |  | ||||||
|  | 	if metricsCertWatcher != nil { | ||||||
|  | 		setupLog.Info("Adding metrics certificate watcher to manager") | ||||||
|  | 		if err := mgr.Add(metricsCertWatcher); err != nil { | ||||||
|  | 			setupLog.Error(err, "Unable to add metrics certificate watcher to manager") | ||||||
|  | 			os.Exit(1) | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  |  | ||||||
| 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { | 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { | ||||||
| 		setupLog.Error(err, "unable to set up health check") | 		setupLog.Error(err, "unable to set up health check") | ||||||
| 		os.Exit(1) | 		os.Exit(1) | ||||||
|   | |||||||
| @@ -14,6 +14,8 @@ spec: | |||||||
|     spec: |     spec: | ||||||
|       securityContext: |       securityContext: | ||||||
|         runAsNonRoot: true |         runAsNonRoot: true | ||||||
|  |         fsGroup: 999 | ||||||
|  |         fsGroupChangePolicy: OnRootMismatch | ||||||
|       volumes: |       volumes: | ||||||
|         - name: shared-data |         - name: shared-data | ||||||
|           emptyDir: {} |           emptyDir: {} | ||||||
| @@ -31,10 +33,19 @@ spec: | |||||||
|           volumeMounts: |           volumeMounts: | ||||||
|             - mountPath: /home/opuser/.op/data |             - mountPath: /home/opuser/.op/data | ||||||
|               name: shared-data |               name: shared-data | ||||||
|  |           securityContext: | ||||||
|  |             runAsUser: 0 | ||||||
|  |             runAsNonRoot: false | ||||||
|  |             allowPrivilegeEscalation: false | ||||||
|  |             capabilities: | ||||||
|  |               drop: [ "ALL" ] | ||||||
|       containers: |       containers: | ||||||
|         - name: connect-api |         - name: connect-api | ||||||
|           image: 1password/connect-api:latest |           image: 1password/connect-api:latest | ||||||
|           securityContext: |           securityContext: | ||||||
|  |             runAsNonRoot: true | ||||||
|  |             runAsUser: 999 | ||||||
|  |             runAsGroup: 999 | ||||||
|             allowPrivilegeEscalation: false |             allowPrivilegeEscalation: false | ||||||
|           resources: |           resources: | ||||||
|             limits: |             limits: | ||||||
| @@ -55,6 +66,9 @@ spec: | |||||||
|         - name: connect-sync |         - name: connect-sync | ||||||
|           image: 1password/connect-sync:latest |           image: 1password/connect-sync:latest | ||||||
|           securityContext: |           securityContext: | ||||||
|  |             runAsNonRoot: true | ||||||
|  |             runAsUser: 999 | ||||||
|  |             runAsGroup: 999 | ||||||
|             allowPrivilegeEscalation: false |             allowPrivilegeEscalation: false | ||||||
|           resources: |           resources: | ||||||
|             limits: |             limits: | ||||||
|   | |||||||
| @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 | |||||||
| kind: CustomResourceDefinition | kind: CustomResourceDefinition | ||||||
| metadata: | metadata: | ||||||
|   annotations: |   annotations: | ||||||
|     controller-gen.kubebuilder.io/version: v0.14.0 |     controller-gen.kubebuilder.io/version: v0.18.0 | ||||||
|   name: onepassworditems.onepassword.com |   name: onepassworditems.onepassword.com | ||||||
| spec: | spec: | ||||||
|   group: onepassword.com |   group: onepassword.com | ||||||
|   | |||||||
| @@ -11,13 +11,7 @@ patches: | |||||||
| #- path: patches/webhook_in_onepassworditems.yaml | #- path: patches/webhook_in_onepassworditems.yaml | ||||||
| #+kubebuilder:scaffold:crdkustomizewebhookpatch | #+kubebuilder:scaffold:crdkustomizewebhookpatch | ||||||
|  |  | ||||||
| # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. |  | ||||||
| # patches here are for enabling the CA injection for each CRD |  | ||||||
| #- path: patches/cainjection_in_onepassworditems.yaml |  | ||||||
| #+kubebuilder:scaffold:crdkustomizecainjectionpatch |  | ||||||
|  |  | ||||||
| # [WEBHOOK] To enable webhook, uncomment the following section | # [WEBHOOK] To enable webhook, uncomment the following section | ||||||
| # the following config is for teaching kustomize how to do kustomization for CRDs. | # the following config is for teaching kustomize how to do kustomization for CRDs. | ||||||
|  |  | ||||||
| #configurations: | #configurations: | ||||||
| #- kustomizeconfig.yaml | #- kustomizeconfig.yaml | ||||||
|   | |||||||
| @@ -1,7 +0,0 @@ | |||||||
| # The following patch adds a directive for certmanager to inject CA into the CRD |  | ||||||
| apiVersion: apiextensions.k8s.io/v1 |  | ||||||
| kind: CustomResourceDefinition |  | ||||||
| metadata: |  | ||||||
|   annotations: |  | ||||||
|     cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME |  | ||||||
|   name: onepassworditems.onepassword.com |  | ||||||
| @@ -1,16 +0,0 @@ | |||||||
| # The following patch enables a conversion webhook for the CRD |  | ||||||
| apiVersion: apiextensions.k8s.io/v1 |  | ||||||
| kind: CustomResourceDefinition |  | ||||||
| metadata: |  | ||||||
|   name: onepassworditems.onepassword.com |  | ||||||
| spec: |  | ||||||
|   conversion: |  | ||||||
|     strategy: Webhook |  | ||||||
|     webhook: |  | ||||||
|       clientConfig: |  | ||||||
|         service: |  | ||||||
|           namespace: system |  | ||||||
|           name: webhook-service |  | ||||||
|           path: /convert |  | ||||||
|       conversionReviewVersions: |  | ||||||
|       - v1 |  | ||||||
| @@ -25,118 +25,210 @@ resources: | |||||||
| #- ../certmanager | #- ../certmanager | ||||||
| # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. | # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. | ||||||
| #- ../prometheus | #- ../prometheus | ||||||
|  | # [METRICS] Expose the controller manager metrics service. | ||||||
|  | - metrics_service.yaml | ||||||
|  | # [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. | ||||||
|  | # Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. | ||||||
|  | # Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will | ||||||
|  | # be able to communicate with the Webhook Server. | ||||||
|  | #- ../network-policy | ||||||
|  |  | ||||||
|  | # Uncomment the patches line if you enable Metrics | ||||||
| patches: | patches: | ||||||
| # Protect the /metrics endpoint by putting it behind auth. | # [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. | ||||||
| # If you want your controller-manager to expose the /metrics | # More info: https://book.kubebuilder.io/reference/metrics | ||||||
| # endpoint w/o any authn/z, please comment the following line. | - path: manager_metrics_patch.yaml | ||||||
| - path: manager_auth_proxy_patch.yaml |   target: | ||||||
|  |     kind: Deployment | ||||||
|  |  | ||||||
|  | # Uncomment the patches line if you enable Metrics and CertManager | ||||||
|  | # [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line. | ||||||
|  | # This patch will protect the metrics with certManager self-signed certs. | ||||||
|  | #- path: cert_metrics_manager_patch.yaml | ||||||
|  | #  target: | ||||||
|  | #    kind: Deployment | ||||||
|  |  | ||||||
| # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in | ||||||
| # crd/kustomization.yaml | # crd/kustomization.yaml | ||||||
| #- path: manager_webhook_patch.yaml | #- path: manager_webhook_patch.yaml | ||||||
|  | #  target: | ||||||
| # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. | #    kind: Deployment | ||||||
| # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. |  | ||||||
| # 'CERTMANAGER' needs to be enabled to use ca injection |  | ||||||
| #- path: webhookcainjection_patch.yaml |  | ||||||
|  |  | ||||||
| # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. | # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. | ||||||
| # Uncomment the following replacements to add the cert-manager CA injection annotations | # Uncomment the following replacements to add the cert-manager CA injection annotations | ||||||
| #replacements: | #replacements: | ||||||
| #  - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs | # - source: # Uncomment the following block to enable certificates for metrics | ||||||
| #      kind: Certificate | #     kind: Service | ||||||
| #      group: cert-manager.io | #     version: v1 | ||||||
| #      version: v1 | #     name: controller-manager-metrics-service | ||||||
| #      name: serving-cert # this name should match the one in certificate.yaml | #     fieldPath: metadata.name | ||||||
| #      fieldPath: .metadata.namespace # namespace of the certificate CR | #   targets: | ||||||
| #    targets: | #     - select: | ||||||
| #      - select: | #         kind: Certificate | ||||||
| #          kind: ValidatingWebhookConfiguration | #         group: cert-manager.io | ||||||
| #        fieldPaths: | #         version: v1 | ||||||
| #          - .metadata.annotations.[cert-manager.io/inject-ca-from] | #         name: metrics-certs | ||||||
| #        options: | #       fieldPaths: | ||||||
| #          delimiter: '/' | #         - spec.dnsNames.0 | ||||||
| #          index: 0 | #         - spec.dnsNames.1 | ||||||
| #          create: true | #       options: | ||||||
| #      - select: | #         delimiter: '.' | ||||||
| #          kind: MutatingWebhookConfiguration | #         index: 0 | ||||||
| #        fieldPaths: | #         create: true | ||||||
| #          - .metadata.annotations.[cert-manager.io/inject-ca-from] | #     - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor | ||||||
| #        options: | #         kind: ServiceMonitor | ||||||
| #          delimiter: '/' | #         group: monitoring.coreos.com | ||||||
| #          index: 0 | #         version: v1 | ||||||
| #          create: true | #         name: controller-manager-metrics-monitor | ||||||
| #      - select: | #       fieldPaths: | ||||||
| #          kind: CustomResourceDefinition | #         - spec.endpoints.0.tlsConfig.serverName | ||||||
| #        fieldPaths: | #       options: | ||||||
| #          - .metadata.annotations.[cert-manager.io/inject-ca-from] | #         delimiter: '.' | ||||||
| #        options: | #         index: 0 | ||||||
| #          delimiter: '/' | #         create: true | ||||||
| #          index: 0 | # | ||||||
| #          create: true | # - source: | ||||||
| #  - source: | #     kind: Service | ||||||
| #      kind: Certificate | #     version: v1 | ||||||
| #      group: cert-manager.io | #     name: controller-manager-metrics-service | ||||||
| #      version: v1 | #     fieldPath: metadata.namespace | ||||||
| #      name: serving-cert # this name should match the one in certificate.yaml | #   targets: | ||||||
| #      fieldPath: .metadata.name | #     - select: | ||||||
| #    targets: | #         kind: Certificate | ||||||
| #      - select: | #         group: cert-manager.io | ||||||
| #          kind: ValidatingWebhookConfiguration | #         version: v1 | ||||||
| #        fieldPaths: | #         name: metrics-certs | ||||||
| #          - .metadata.annotations.[cert-manager.io/inject-ca-from] | #       fieldPaths: | ||||||
| #        options: | #         - spec.dnsNames.0 | ||||||
| #          delimiter: '/' | #         - spec.dnsNames.1 | ||||||
| #          index: 1 | #       options: | ||||||
| #          create: true | #         delimiter: '.' | ||||||
| #      - select: | #         index: 1 | ||||||
| #          kind: MutatingWebhookConfiguration | #         create: true | ||||||
| #        fieldPaths: | #     - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor | ||||||
| #          - .metadata.annotations.[cert-manager.io/inject-ca-from] | #         kind: ServiceMonitor | ||||||
| #        options: | #         group: monitoring.coreos.com | ||||||
| #          delimiter: '/' | #         version: v1 | ||||||
| #          index: 1 | #         name: controller-manager-metrics-monitor | ||||||
| #          create: true | #       fieldPaths: | ||||||
| #      - select: | #         - spec.endpoints.0.tlsConfig.serverName | ||||||
| #          kind: CustomResourceDefinition | #       options: | ||||||
| #        fieldPaths: | #         delimiter: '.' | ||||||
| #          - .metadata.annotations.[cert-manager.io/inject-ca-from] | #         index: 1 | ||||||
| #        options: | #         create: true | ||||||
| #          delimiter: '/' | # | ||||||
| #          index: 1 | # - source: # Uncomment the following block if you have any webhook | ||||||
| #          create: true | #     kind: Service | ||||||
| #  - source: # Add cert-manager annotation to the webhook Service | #     version: v1 | ||||||
| #      kind: Service | #     name: webhook-service | ||||||
| #      version: v1 | #     fieldPath: .metadata.name # Name of the service | ||||||
| #      name: webhook-service | #   targets: | ||||||
| #      fieldPath: .metadata.name # namespace of the service | #     - select: | ||||||
| #    targets: | #         kind: Certificate | ||||||
| #      - select: | #         group: cert-manager.io | ||||||
| #          kind: Certificate | #         version: v1 | ||||||
| #          group: cert-manager.io | #         name: serving-cert | ||||||
| #          version: v1 | #       fieldPaths: | ||||||
| #        fieldPaths: | #         - .spec.dnsNames.0 | ||||||
| #          - .spec.dnsNames.0 | #         - .spec.dnsNames.1 | ||||||
| #          - .spec.dnsNames.1 | #       options: | ||||||
| #        options: | #         delimiter: '.' | ||||||
| #          delimiter: '.' | #         index: 0 | ||||||
| #          index: 0 | #         create: true | ||||||
| #          create: true | # - source: | ||||||
| #  - source: | #     kind: Service | ||||||
| #      kind: Service | #     version: v1 | ||||||
| #      version: v1 | #     name: webhook-service | ||||||
| #      name: webhook-service | #     fieldPath: .metadata.namespace # Namespace of the service | ||||||
| #      fieldPath: .metadata.namespace # namespace of the service | #   targets: | ||||||
| #    targets: | #     - select: | ||||||
| #      - select: | #         kind: Certificate | ||||||
| #          kind: Certificate | #         group: cert-manager.io | ||||||
| #          group: cert-manager.io | #         version: v1 | ||||||
| #          version: v1 | #         name: serving-cert | ||||||
| #        fieldPaths: | #       fieldPaths: | ||||||
| #          - .spec.dnsNames.0 | #         - .spec.dnsNames.0 | ||||||
| #          - .spec.dnsNames.1 | #         - .spec.dnsNames.1 | ||||||
| #        options: | #       options: | ||||||
| #          delimiter: '.' | #         delimiter: '.' | ||||||
| #          index: 1 | #         index: 1 | ||||||
| #          create: true | #         create: true | ||||||
|  | # | ||||||
|  | # - source: # Uncomment the following block if you have a ValidatingWebhook (--programmatic-validation) | ||||||
|  | #     kind: Certificate | ||||||
|  | #     group: cert-manager.io | ||||||
|  | #     version: v1 | ||||||
|  | #     name: serving-cert # This name should match the one in certificate.yaml | ||||||
|  | #     fieldPath: .metadata.namespace # Namespace of the certificate CR | ||||||
|  | #   targets: | ||||||
|  | #     - select: | ||||||
|  | #         kind: ValidatingWebhookConfiguration | ||||||
|  | #       fieldPaths: | ||||||
|  | #         - .metadata.annotations.[cert-manager.io/inject-ca-from] | ||||||
|  | #       options: | ||||||
|  | #         delimiter: '/' | ||||||
|  | #         index: 0 | ||||||
|  | #         create: true | ||||||
|  | # - source: | ||||||
|  | #     kind: Certificate | ||||||
|  | #     group: cert-manager.io | ||||||
|  | #     version: v1 | ||||||
|  | #     name: serving-cert | ||||||
|  | #     fieldPath: .metadata.name | ||||||
|  | #   targets: | ||||||
|  | #     - select: | ||||||
|  | #         kind: ValidatingWebhookConfiguration | ||||||
|  | #       fieldPaths: | ||||||
|  | #         - .metadata.annotations.[cert-manager.io/inject-ca-from] | ||||||
|  | #       options: | ||||||
|  | #         delimiter: '/' | ||||||
|  | #         index: 1 | ||||||
|  | #         create: true | ||||||
|  | # | ||||||
|  | # - source: # Uncomment the following block if you have a DefaultingWebhook (--defaulting ) | ||||||
|  | #     kind: Certificate | ||||||
|  | #     group: cert-manager.io | ||||||
|  | #     version: v1 | ||||||
|  | #     name: serving-cert | ||||||
|  | #     fieldPath: .metadata.namespace # Namespace of the certificate CR | ||||||
|  | #   targets: | ||||||
|  | #     - select: | ||||||
|  | #         kind: MutatingWebhookConfiguration | ||||||
|  | #       fieldPaths: | ||||||
|  | #         - .metadata.annotations.[cert-manager.io/inject-ca-from] | ||||||
|  | #       options: | ||||||
|  | #         delimiter: '/' | ||||||
|  | #         index: 0 | ||||||
|  | #         create: true | ||||||
|  | # - source: | ||||||
|  | #     kind: Certificate | ||||||
|  | #     group: cert-manager.io | ||||||
|  | #     version: v1 | ||||||
|  | #     name: serving-cert | ||||||
|  | #     fieldPath: .metadata.name | ||||||
|  | #   targets: | ||||||
|  | #     - select: | ||||||
|  | #         kind: MutatingWebhookConfiguration | ||||||
|  | #       fieldPaths: | ||||||
|  | #         - .metadata.annotations.[cert-manager.io/inject-ca-from] | ||||||
|  | #       options: | ||||||
|  | #         delimiter: '/' | ||||||
|  | #         index: 1 | ||||||
|  | #         create: true | ||||||
|  | # | ||||||
|  | # - source: # Uncomment the following block if you have a ConversionWebhook (--conversion) | ||||||
|  | #     kind: Certificate | ||||||
|  | #     group: cert-manager.io | ||||||
|  | #     version: v1 | ||||||
|  | #     name: serving-cert | ||||||
|  | #     fieldPath: .metadata.namespace # Namespace of the certificate CR | ||||||
|  | #   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD. | ||||||
|  | # +kubebuilder:scaffold:crdkustomizecainjectionns | ||||||
|  | # - source: | ||||||
|  | #     kind: Certificate | ||||||
|  | #     group: cert-manager.io | ||||||
|  | #     version: v1 | ||||||
|  | #     name: serving-cert | ||||||
|  | #     fieldPath: .metadata.name | ||||||
|  | #   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD. | ||||||
|  | # +kubebuilder:scaffold:crdkustomizecainjectionname | ||||||
|   | |||||||
| @@ -1,41 +0,0 @@ | |||||||
| # This patch inject a sidecar container which is a HTTP proxy for the |  | ||||||
| # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. |  | ||||||
| apiVersion: apps/v1 |  | ||||||
| kind: Deployment |  | ||||||
| metadata: |  | ||||||
|   name: onepassword-connect-operator |  | ||||||
|   namespace: system |  | ||||||
| spec: |  | ||||||
|   template: |  | ||||||
|     spec: |  | ||||||
|       securityContext: |  | ||||||
|         runAsNonRoot: true |  | ||||||
|       containers: |  | ||||||
|       - name: kube-rbac-proxy |  | ||||||
|         securityContext: |  | ||||||
|           allowPrivilegeEscalation: false |  | ||||||
|           capabilities: |  | ||||||
|             drop: |  | ||||||
|               - "ALL" |  | ||||||
|         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 |  | ||||||
|         args: |  | ||||||
|         - "--secure-listen-address=0.0.0.0:8443" |  | ||||||
|         - "--upstream=http://127.0.0.1:8080/" |  | ||||||
|         - "--logtostderr=true" |  | ||||||
|         - "--v=0" |  | ||||||
|         ports: |  | ||||||
|         - containerPort: 8443 |  | ||||||
|           protocol: TCP |  | ||||||
|           name: https |  | ||||||
|         resources: |  | ||||||
|           limits: |  | ||||||
|             cpu: 500m |  | ||||||
|             memory: 128Mi |  | ||||||
|           requests: |  | ||||||
|             cpu: 5m |  | ||||||
|             memory: 64Mi |  | ||||||
|       - name: manager |  | ||||||
|         args: |  | ||||||
|         - "--health-probe-bind-address=:8081" |  | ||||||
|         - "--metrics-bind-address=127.0.0.1:8080" |  | ||||||
|         - "--leader-elect" |  | ||||||
| @@ -1,10 +0,0 @@ | |||||||
| apiVersion: apps/v1 |  | ||||||
| kind: Deployment |  | ||||||
| metadata: |  | ||||||
|   name: onepassword-connect-operator |  | ||||||
|   namespace: system |  | ||||||
| spec: |  | ||||||
|   template: |  | ||||||
|     spec: |  | ||||||
|       containers: |  | ||||||
|       - name: manager |  | ||||||
							
								
								
									
										4
									
								
								config/default/manager_metrics_patch.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								config/default/manager_metrics_patch.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | |||||||
|  | # This patch adds the args to allow exposing the metrics endpoint using HTTPS | ||||||
|  | - op: add | ||||||
|  |   path: /spec/template/spec/containers/0/args/0 | ||||||
|  |   value: --metrics-bind-address=:8443 | ||||||
							
								
								
									
										17
									
								
								config/default/metrics_service.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								config/default/metrics_service.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | |||||||
|  | apiVersion: v1 | ||||||
|  | kind: Service | ||||||
|  | metadata: | ||||||
|  |   labels: | ||||||
|  |     control-plane: controller-manager | ||||||
|  |     app.kubernetes.io/name: onepassword-operator | ||||||
|  |     app.kubernetes.io/managed-by: kustomize | ||||||
|  |   name: controller-manager-metrics-service | ||||||
|  |   namespace: system | ||||||
|  | spec: | ||||||
|  |   ports: | ||||||
|  |     - name: https | ||||||
|  |       port: 8443 | ||||||
|  |       protocol: TCP | ||||||
|  |       targetPort: 8443 | ||||||
|  |   selector: | ||||||
|  |     control-plane: controller-manager | ||||||
| @@ -72,7 +72,9 @@ spec: | |||||||
|         - /manager |         - /manager | ||||||
|         args: |         args: | ||||||
|         - --leader-elect |         - --leader-elect | ||||||
|  |         - --health-probe-bind-address=:8081 | ||||||
|         image: 1password/onepassword-operator:latest |         image: 1password/onepassword-operator:latest | ||||||
|  |         imagePullPolicy: Never | ||||||
|         name: manager |         name: manager | ||||||
|         env: |         env: | ||||||
|           - name: OPERATOR_NAME |           - name: OPERATOR_NAME | ||||||
| @@ -95,7 +97,7 @@ spec: | |||||||
|                 name: onepassword-token |                 name: onepassword-token | ||||||
|                 key: token |                 key: token | ||||||
|           - name: MANAGE_CONNECT |           - name: MANAGE_CONNECT | ||||||
|             value: "false" |             value: "true" | ||||||
| #            Uncomment the following lines to enable service account token and comment out the OP_CONNECT_TOKEN, OP_CONNECT_HOST and MANAGE_CONNECT env vars. | #            Uncomment the following lines to enable service account token and comment out the OP_CONNECT_TOKEN, OP_CONNECT_HOST and MANAGE_CONNECT env vars. | ||||||
| #          - name: OP_SERVICE_ACCOUNT_TOKEN | #          - name: OP_SERVICE_ACCOUNT_TOKEN | ||||||
| #            valueFrom: | #            valueFrom: | ||||||
| @@ -106,7 +108,7 @@ spec: | |||||||
|           allowPrivilegeEscalation: false |           allowPrivilegeEscalation: false | ||||||
|           capabilities: |           capabilities: | ||||||
|             drop: |             drop: | ||||||
|               - "ALL" |             - "ALL" | ||||||
|         livenessProbe: |         livenessProbe: | ||||||
|           httpGet: |           httpGet: | ||||||
|             path: /healthz |             path: /healthz | ||||||
|   | |||||||
							
								
								
									
										26
									
								
								config/network-policy/allow-metrics-traffic.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								config/network-policy/allow-metrics-traffic.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,26 @@ | |||||||
|  | # This NetworkPolicy allows ingress traffic | ||||||
|  | # with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those | ||||||
|  | # namespaces are able to gathering data from the metrics endpoint. | ||||||
|  | apiVersion: networking.k8s.io/v1 | ||||||
|  | kind: NetworkPolicy | ||||||
|  | metadata: | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: onepassword-operator | ||||||
|  |     app.kubernetes.io/managed-by: kustomize | ||||||
|  |   name: allow-metrics-traffic | ||||||
|  |   namespace: system | ||||||
|  | spec: | ||||||
|  |   podSelector: | ||||||
|  |     matchLabels: | ||||||
|  |       control-plane: controller-manager | ||||||
|  |   policyTypes: | ||||||
|  |       - Ingress | ||||||
|  |   ingress: | ||||||
|  |       # This allows ingress traffic from any namespace with the label metrics: enabled | ||||||
|  |     - from: | ||||||
|  |       - namespaceSelector: | ||||||
|  |           matchLabels: | ||||||
|  |             metrics: enabled  # Only from namespaces with this label | ||||||
|  |       ports: | ||||||
|  |         - port: 8443 | ||||||
|  |           protocol: TCP | ||||||
							
								
								
									
										2
									
								
								config/network-policy/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								config/network-policy/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | |||||||
|  | resources: | ||||||
|  | - allow-metrics-traffic.yaml | ||||||
| @@ -1,2 +1,11 @@ | |||||||
| resources: | resources: | ||||||
| - monitor.yaml | - monitor.yaml | ||||||
|  |  | ||||||
|  | # [PROMETHEUS-WITH-CERTS] The following patch configures the ServiceMonitor in ../prometheus | ||||||
|  | # to securely reference certificates created and managed by cert-manager. | ||||||
|  | # Additionally, ensure that you uncomment the [METRICS WITH CERTMANAGER] patch under config/default/kustomization.yaml | ||||||
|  | # to mount the "metrics-server-cert" secret in the Manager Deployment. | ||||||
|  | #patches: | ||||||
|  | #  - path: monitor_tls_patch.yaml | ||||||
|  | #    target: | ||||||
|  | #      kind: ServiceMonitor | ||||||
|   | |||||||
| @@ -5,7 +5,7 @@ metadata: | |||||||
|   labels: |   labels: | ||||||
|     name: onepassword-connect-operator |     name: onepassword-connect-operator | ||||||
|     control-plane: onepassword-connect-operator |     control-plane: onepassword-connect-operator | ||||||
|     app.kubernetes.io/name: servicemonitor |     app.kubernetes.io/name: onepassword-operator | ||||||
|     app.kubernetes.io/instance: controller-manager-metrics-monitor |     app.kubernetes.io/instance: controller-manager-metrics-monitor | ||||||
|     app.kubernetes.io/component: metrics |     app.kubernetes.io/component: metrics | ||||||
|     app.kubernetes.io/created-by: onepassword-connect-operator |     app.kubernetes.io/created-by: onepassword-connect-operator | ||||||
| @@ -16,12 +16,22 @@ metadata: | |||||||
| spec: | spec: | ||||||
|   endpoints: |   endpoints: | ||||||
|     - path: /metrics |     - path: /metrics | ||||||
|       port: https |       port: https # Ensure this is the name of the port that exposes HTTPS metrics | ||||||
|       scheme: https |       scheme: https | ||||||
|       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token |       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token | ||||||
|       tlsConfig: |       tlsConfig: | ||||||
|  |         # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables | ||||||
|  |         # certificate verification. This poses a significant security risk by making the system vulnerable to | ||||||
|  |         # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between | ||||||
|  |         # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data, | ||||||
|  |         # compromising the integrity and confidentiality of the information. | ||||||
|  |         # Please use the following options for secure configurations: | ||||||
|  |         # caFile: /etc/metrics-certs/ca.crt | ||||||
|  |         # certFile: /etc/metrics-certs/tls.crt | ||||||
|  |         # keyFile: /etc/metrics-certs/tls.key | ||||||
|         insecureSkipVerify: true |         insecureSkipVerify: true | ||||||
|   selector: |   selector: | ||||||
|     matchLabels: |     matchLabels: | ||||||
|       name: onepassword-connect-operator |       name: onepassword-connect-operator | ||||||
|       control-plane: onepassword-connect-operator |       control-plane: onepassword-connect-operator | ||||||
|  |       app.kubernetes.io/name: onepassword-operator | ||||||
|   | |||||||
							
								
								
									
										19
									
								
								config/prometheus/monitor_tls_patch.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								config/prometheus/monitor_tls_patch.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | |||||||
|  | # Patch for Prometheus ServiceMonitor to enable secure TLS configuration | ||||||
|  | # using certificates managed by cert-manager | ||||||
|  | - op: replace | ||||||
|  |   path: /spec/endpoints/0/tlsConfig | ||||||
|  |   value: | ||||||
|  |     # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize | ||||||
|  |     serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc | ||||||
|  |     insecureSkipVerify: false | ||||||
|  |     ca: | ||||||
|  |       secret: | ||||||
|  |         name: metrics-server-cert | ||||||
|  |         key: ca.crt | ||||||
|  |     cert: | ||||||
|  |       secret: | ||||||
|  |         name: metrics-server-cert | ||||||
|  |         key: tls.crt | ||||||
|  |     keySecret: | ||||||
|  |       name: metrics-server-cert | ||||||
|  |       key: tls.key | ||||||
| @@ -1,16 +0,0 @@ | |||||||
| apiVersion: rbac.authorization.k8s.io/v1 |  | ||||||
| kind: ClusterRole |  | ||||||
| metadata: |  | ||||||
|   labels: |  | ||||||
|     app.kubernetes.io/name: clusterrole |  | ||||||
|     app.kubernetes.io/instance: metrics-reader |  | ||||||
|     app.kubernetes.io/component: kube-rbac-proxy |  | ||||||
|     app.kubernetes.io/created-by: onepassword-connect-operator |  | ||||||
|     app.kubernetes.io/part-of: onepassword-connect-operator |  | ||||||
|     app.kubernetes.io/managed-by: kustomize |  | ||||||
|   name: metrics-reader |  | ||||||
| rules: |  | ||||||
| - nonResourceURLs: |  | ||||||
|   - "/metrics" |  | ||||||
|   verbs: |  | ||||||
|   - get |  | ||||||
| @@ -1,24 +0,0 @@ | |||||||
| apiVersion: rbac.authorization.k8s.io/v1 |  | ||||||
| kind: ClusterRole |  | ||||||
| metadata: |  | ||||||
|   labels: |  | ||||||
|     app.kubernetes.io/name: clusterrole |  | ||||||
|     app.kubernetes.io/instance: proxy-role |  | ||||||
|     app.kubernetes.io/component: kube-rbac-proxy |  | ||||||
|     app.kubernetes.io/created-by: onepassword-connect-operator |  | ||||||
|     app.kubernetes.io/part-of: onepassword-connect-operator |  | ||||||
|     app.kubernetes.io/managed-by: kustomize |  | ||||||
|   name: proxy-role |  | ||||||
| rules: |  | ||||||
| - apiGroups: |  | ||||||
|   - authentication.k8s.io |  | ||||||
|   resources: |  | ||||||
|   - tokenreviews |  | ||||||
|   verbs: |  | ||||||
|   - create |  | ||||||
| - apiGroups: |  | ||||||
|   - authorization.k8s.io |  | ||||||
|   resources: |  | ||||||
|   - subjectaccessreviews |  | ||||||
|   verbs: |  | ||||||
|   - create |  | ||||||
| @@ -1,19 +0,0 @@ | |||||||
| apiVersion: rbac.authorization.k8s.io/v1 |  | ||||||
| kind: ClusterRoleBinding |  | ||||||
| metadata: |  | ||||||
|   labels: |  | ||||||
|     app.kubernetes.io/name: clusterrolebinding |  | ||||||
|     app.kubernetes.io/instance: proxy-rolebinding |  | ||||||
|     app.kubernetes.io/component: kube-rbac-proxy |  | ||||||
|     app.kubernetes.io/created-by: onepassword-connect-operator |  | ||||||
|     app.kubernetes.io/part-of: onepassword-connect-operator |  | ||||||
|     app.kubernetes.io/managed-by: kustomize |  | ||||||
|   name: proxy-rolebinding |  | ||||||
| roleRef: |  | ||||||
|   apiGroup: rbac.authorization.k8s.io |  | ||||||
|   kind: ClusterRole |  | ||||||
|   name: proxy-role |  | ||||||
| subjects: |  | ||||||
| - kind: ServiceAccount |  | ||||||
|   name: onepassword-connect-operator |  | ||||||
|   namespace: system |  | ||||||
| @@ -1,23 +0,0 @@ | |||||||
| apiVersion: v1 |  | ||||||
| kind: Service |  | ||||||
| metadata: |  | ||||||
|   labels: |  | ||||||
|     name: onepassword-connect-operator |  | ||||||
|     control-plane: onepassword-connect-operator |  | ||||||
|     app.kubernetes.io/name: service |  | ||||||
|     app.kubernetes.io/instance: controller-manager-metrics-service |  | ||||||
|     app.kubernetes.io/component: kube-rbac-proxy |  | ||||||
|     app.kubernetes.io/created-by: onepassword-connect-operator |  | ||||||
|     app.kubernetes.io/part-of: onepassword-connect-operator |  | ||||||
|     app.kubernetes.io/managed-by: kustomize |  | ||||||
|   name: onepassword-connect-operator-metrics-service |  | ||||||
|   namespace: system |  | ||||||
| spec: |  | ||||||
|   ports: |  | ||||||
|   - name: https |  | ||||||
|     port: 8443 |  | ||||||
|     protocol: TCP |  | ||||||
|     targetPort: https |  | ||||||
|   selector: |  | ||||||
|     name: onepassword-connect-operator |  | ||||||
|     control-plane: onepassword-connect-operator |  | ||||||
| @@ -9,10 +9,19 @@ resources: | |||||||
| - role_binding.yaml | - role_binding.yaml | ||||||
| - leader_election_role.yaml | - leader_election_role.yaml | ||||||
| - leader_election_role_binding.yaml | - leader_election_role_binding.yaml | ||||||
| # Comment the following 4 lines if you want to disable | # The following RBAC configurations are used to protect | ||||||
| # the auth proxy (https://github.com/brancz/kube-rbac-proxy) | # the metrics endpoint with authn/authz. These configurations | ||||||
| # which protects your /metrics endpoint. | # ensure that only authorized users and service accounts | ||||||
| - auth_proxy_service.yaml | # can access the metrics endpoint. Comment the following | ||||||
| - auth_proxy_role.yaml | # permissions if you want to disable this protection. | ||||||
| - auth_proxy_role_binding.yaml | # More info: https://book.kubebuilder.io/reference/metrics.html | ||||||
| - auth_proxy_client_clusterrole.yaml | - metrics_auth_role.yaml | ||||||
|  | - metrics_auth_role_binding.yaml | ||||||
|  | - metrics_reader_role.yaml | ||||||
|  | # For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by | ||||||
|  | # default, aiding admins in cluster management. Those roles are | ||||||
|  | # not used by the {{ .ProjectName }} itself. You can comment the following lines | ||||||
|  | # if you do not want those helpers be installed with your Project. | ||||||
|  | - onepassworditem_admin_role.yaml | ||||||
|  | - onepassworditem_editor_role.yaml | ||||||
|  | - onepassworditem_viewer_role.yaml | ||||||
|   | |||||||
							
								
								
									
										17
									
								
								config/rbac/metrics_auth_role.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								config/rbac/metrics_auth_role.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | |||||||
|  | apiVersion: rbac.authorization.k8s.io/v1 | ||||||
|  | kind: ClusterRole | ||||||
|  | metadata: | ||||||
|  |   name: metrics-auth-role | ||||||
|  | rules: | ||||||
|  |   - apiGroups: | ||||||
|  |       - authentication.k8s.io | ||||||
|  |     resources: | ||||||
|  |       - tokenreviews | ||||||
|  |     verbs: | ||||||
|  |       - create | ||||||
|  |   - apiGroups: | ||||||
|  |       - authorization.k8s.io | ||||||
|  |     resources: | ||||||
|  |       - subjectaccessreviews | ||||||
|  |     verbs: | ||||||
|  |       - create | ||||||
							
								
								
									
										12
									
								
								config/rbac/metrics_auth_role_binding.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										12
									
								
								config/rbac/metrics_auth_role_binding.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,12 @@ | |||||||
|  | apiVersion: rbac.authorization.k8s.io/v1 | ||||||
|  | kind: ClusterRoleBinding | ||||||
|  | metadata: | ||||||
|  |   name: metrics-auth-rolebinding | ||||||
|  | roleRef: | ||||||
|  |   apiGroup: rbac.authorization.k8s.io | ||||||
|  |   kind: ClusterRole | ||||||
|  |   name: metrics-auth-role | ||||||
|  | subjects: | ||||||
|  |   - kind: ServiceAccount | ||||||
|  |     name: controller-manager | ||||||
|  |     namespace: system | ||||||
							
								
								
									
										9
									
								
								config/rbac/metrics_reader_role.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										9
									
								
								config/rbac/metrics_reader_role.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,9 @@ | |||||||
|  | apiVersion: rbac.authorization.k8s.io/v1 | ||||||
|  | kind: ClusterRole | ||||||
|  | metadata: | ||||||
|  |   name: metrics-reader | ||||||
|  | rules: | ||||||
|  |   - nonResourceURLs: | ||||||
|  |       - "/metrics" | ||||||
|  |     verbs: | ||||||
|  |       - get | ||||||
							
								
								
									
										31
									
								
								config/rbac/onepassworditem_admin_role.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										31
									
								
								config/rbac/onepassworditem_admin_role.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,31 @@ | |||||||
|  | # This rule is not used by the project onepassword-operator itself. | ||||||
|  | # It is provided to allow the cluster admin to help manage permissions for users. | ||||||
|  | # | ||||||
|  | # Grants full permissions ('*') over onepassword.com. | ||||||
|  | # This role is intended for users authorized to modify roles and bindings within the cluster, | ||||||
|  | # enabling them to delegate specific permissions to other users or groups as needed. | ||||||
|  |  | ||||||
|  | apiVersion: rbac.authorization.k8s.io/v1 | ||||||
|  | kind: ClusterRole | ||||||
|  | metadata: | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: clusterrole | ||||||
|  |     app.kubernetes.io/instance: onepassworditem-admin-role | ||||||
|  |     app.kubernetes.io/component: rbac | ||||||
|  |     app.kubernetes.io/created-by: onepassword-connect-operator | ||||||
|  |     app.kubernetes.io/part-of: onepassword-connect-operator | ||||||
|  |     app.kubernetes.io/managed-by: kustomize | ||||||
|  |   name: onepassworditem-admin-role | ||||||
|  | rules: | ||||||
|  |   - apiGroups: | ||||||
|  |       - onepassword.com | ||||||
|  |     resources: | ||||||
|  |       - onepassworditems | ||||||
|  |     verbs: | ||||||
|  |       - '*' | ||||||
|  |   - apiGroups: | ||||||
|  |       - onepassword.com | ||||||
|  |     resources: | ||||||
|  |       - onepassworditems/status | ||||||
|  |     verbs: | ||||||
|  |       - get | ||||||
| @@ -1,4 +1,10 @@ | |||||||
| # permissions for end users to edit onepassworditems. | # This rule is not used by the project onepassword-operator itself. | ||||||
|  | # It is provided to allow the cluster admin to help manage permissions for users. | ||||||
|  | # | ||||||
|  | # Grants permissions to create, update, and delete resources within the onepassword.com. | ||||||
|  | # This role is intended for users who need to manage these resources | ||||||
|  | # but should not control RBAC or manage permissions for others. | ||||||
|  |  | ||||||
| apiVersion: rbac.authorization.k8s.io/v1 | apiVersion: rbac.authorization.k8s.io/v1 | ||||||
| kind: ClusterRole | kind: ClusterRole | ||||||
| metadata: | metadata: | ||||||
|   | |||||||
| @@ -1,4 +1,10 @@ | |||||||
| # permissions for end users to view onepassworditems. | # This rule is not used by the project onepassword-operator itself. | ||||||
|  | # It is provided to allow the cluster admin to help manage permissions for users. | ||||||
|  | # | ||||||
|  | # Grants read-only access to onepassword.com resources. | ||||||
|  | # This role is intended for users who need visibility into these resources | ||||||
|  | # without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. | ||||||
|  |  | ||||||
| apiVersion: rbac.authorization.k8s.io/v1 | apiVersion: rbac.authorization.k8s.io/v1 | ||||||
| kind: ClusterRole | kind: ClusterRole | ||||||
| metadata: | metadata: | ||||||
|   | |||||||
| @@ -24,12 +24,6 @@ rules: | |||||||
|   - patch |   - patch | ||||||
|   - update |   - update | ||||||
|   - watch |   - watch | ||||||
| - apiGroups: |  | ||||||
|   - "" |  | ||||||
|   resources: |  | ||||||
|   - pods |  | ||||||
|   verbs: |  | ||||||
|   - get |  | ||||||
| - apiGroups: | - apiGroups: | ||||||
|   - apps |   - apps | ||||||
|   resources: |   resources: | ||||||
| @@ -45,25 +39,6 @@ rules: | |||||||
|   - patch |   - patch | ||||||
|   - update |   - update | ||||||
|   - watch |   - watch | ||||||
| - apiGroups: |  | ||||||
|   - apps |  | ||||||
|   resources: |  | ||||||
|   - deployments |  | ||||||
|   verbs: |  | ||||||
|   - create |  | ||||||
|   - delete |  | ||||||
|   - get |  | ||||||
|   - list |  | ||||||
|   - patch |  | ||||||
|   - update |  | ||||||
|   - watch |  | ||||||
| - apiGroups: |  | ||||||
|   - apps |  | ||||||
|   resources: |  | ||||||
|   - deployments |  | ||||||
|   - replicasets |  | ||||||
|   verbs: |  | ||||||
|   - get |  | ||||||
| - apiGroups: | - apiGroups: | ||||||
|   - apps |   - apps | ||||||
|   resources: |   resources: | ||||||
| @@ -106,17 +81,6 @@ rules: | |||||||
|   - onepassword.com |   - onepassword.com | ||||||
|   resources: |   resources: | ||||||
|   - '*' |   - '*' | ||||||
|   verbs: |  | ||||||
|   - create |  | ||||||
|   - delete |  | ||||||
|   - get |  | ||||||
|   - list |  | ||||||
|   - patch |  | ||||||
|   - update |  | ||||||
|   - watch |  | ||||||
| - apiGroups: |  | ||||||
|   - onepassword.com |  | ||||||
|   resources: |  | ||||||
|   - onepassworditems |   - onepassworditems | ||||||
|   verbs: |   verbs: | ||||||
|   - create |   - create | ||||||
|   | |||||||
							
								
								
									
										27
									
								
								docs/testing.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								docs/testing.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,27 @@ | |||||||
|  | # Testing | ||||||
|  |  | ||||||
|  | ## Unit tests | ||||||
|  | **When**: Pure Go logic, no Kubernetes apiserver or network. | ||||||
|  | **Where**: `internal/...`, `pkg/...`   | ||||||
|  | **Add files in**: `*_test.go` next to the code.   | ||||||
|  | **Run**: `make test` | ||||||
|  |  | ||||||
|  | ## Integration tests (envtest) | ||||||
|  | **When**: Controller/reconciler behavior against a mocked kubernetes cluster.   | ||||||
|  | **Where**: `internal/controller/...`   | ||||||
|  | **Framework**: controller-runtime’s `envtest`.   | ||||||
|  | **Run**: `make test` | ||||||
|  |  | ||||||
|  | ## E2E tests (kind) | ||||||
|  | **When**: Full cluster behavior (CRDs, operator image, Connect/SA flows).   | ||||||
|  | **Where**: `test/e2e/...`   | ||||||
|  | **Framework**: Ginkgo + `pkg/testhelper`. | ||||||
|  |  | ||||||
|  | **Local prep**: | ||||||
|  | 1. [Install `kind`](https://kind.sigs.k8s.io/docs/user/quick-start/#installing-with-a-package-manager) to spin up local Kubernetes cluster. | ||||||
|  | 2. `export OP_CONNECT_TOKEN=<token>` | ||||||
|  | 3. `export OP_SERVICE_ACCOUNT_TOKEN=<token>` | ||||||
|  | 4. `make test-e2e` | ||||||
|  | 5. Put `1password-credentials.json` into project root. | ||||||
|  |  | ||||||
|  | **Run**: `make test-e2e` | ||||||
							
								
								
									
										97
									
								
								go.mod
									
									
									
									
									
								
							
							
						
						
									
										97
									
								
								go.mod
									
									
									
									
									
								
							| @@ -1,49 +1,57 @@ | |||||||
| module github.com/1Password/onepassword-operator | module github.com/1Password/onepassword-operator | ||||||
|  |  | ||||||
| go 1.24 | go 1.24.0 | ||||||
|  |  | ||||||
| toolchain go1.24.4 | toolchain go1.24.5 | ||||||
|  |  | ||||||
| require ( | require ( | ||||||
| 	github.com/1Password/connect-sdk-go v1.5.3 | 	github.com/1Password/connect-sdk-go v1.5.3 | ||||||
| 	github.com/1password/onepassword-sdk-go v0.3.1 | 	github.com/1password/onepassword-sdk-go v0.3.1 | ||||||
| 	github.com/go-logr/logr v1.4.2 | 	github.com/go-logr/logr v1.4.2 | ||||||
| 	github.com/onsi/ginkgo/v2 v2.14.0 | 	github.com/onsi/ginkgo/v2 v2.22.0 | ||||||
| 	github.com/onsi/gomega v1.30.0 | 	github.com/onsi/gomega v1.36.1 | ||||||
| 	github.com/stretchr/testify v1.10.0 | 	github.com/stretchr/testify v1.10.0 | ||||||
| 	k8s.io/api v0.29.3 | 	k8s.io/api v0.33.0 | ||||||
| 	k8s.io/apimachinery v0.29.3 | 	k8s.io/apiextensions-apiserver v0.33.0 | ||||||
| 	k8s.io/client-go v0.29.3 | 	k8s.io/apimachinery v0.33.0 | ||||||
|  | 	k8s.io/client-go v0.33.0 | ||||||
| 	k8s.io/kubectl v0.29.0 | 	k8s.io/kubectl v0.29.0 | ||||||
| 	sigs.k8s.io/controller-runtime v0.17.2 | 	sigs.k8s.io/controller-runtime v0.21.0 | ||||||
| ) | ) | ||||||
|  |  | ||||||
| require ( | require ( | ||||||
|  | 	cel.dev/expr v0.19.1 // indirect | ||||||
|  | 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect | ||||||
| 	github.com/beorn7/perks v1.0.1 // indirect | 	github.com/beorn7/perks v1.0.1 // indirect | ||||||
| 	github.com/cespare/xxhash/v2 v2.2.0 // indirect | 	github.com/blang/semver/v4 v4.0.0 // indirect | ||||||
| 	github.com/davecgh/go-spew v1.1.1 // indirect | 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect | ||||||
|  | 	github.com/cespare/xxhash/v2 v2.3.0 // indirect | ||||||
|  | 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect | ||||||
| 	github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a // indirect | 	github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a // indirect | ||||||
| 	github.com/emicklei/go-restful/v3 v3.12.0 // indirect | 	github.com/emicklei/go-restful/v3 v3.12.0 // indirect | ||||||
| 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect | 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect | ||||||
| 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect | 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect | ||||||
| 	github.com/extism/go-sdk v1.7.0 // indirect | 	github.com/extism/go-sdk v1.7.0 // indirect | ||||||
|  | 	github.com/felixge/httpsnoop v1.0.4 // indirect | ||||||
| 	github.com/fsnotify/fsnotify v1.7.0 // indirect | 	github.com/fsnotify/fsnotify v1.7.0 // indirect | ||||||
|  | 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect | ||||||
|  | 	github.com/go-logr/stdr v1.2.2 // indirect | ||||||
| 	github.com/go-logr/zapr v1.3.0 // indirect | 	github.com/go-logr/zapr v1.3.0 // indirect | ||||||
| 	github.com/go-openapi/jsonpointer v0.21.0 // indirect | 	github.com/go-openapi/jsonpointer v0.21.0 // indirect | ||||||
| 	github.com/go-openapi/jsonreference v0.21.0 // indirect | 	github.com/go-openapi/jsonreference v0.21.0 // indirect | ||||||
| 	github.com/go-openapi/swag v0.23.0 // indirect | 	github.com/go-openapi/swag v0.23.0 // indirect | ||||||
| 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect | 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect | ||||||
| 	github.com/gobwas/glob v0.2.3 // indirect | 	github.com/gobwas/glob v0.2.3 // indirect | ||||||
| 	github.com/gogo/protobuf v1.3.2 // indirect | 	github.com/gogo/protobuf v1.3.2 // indirect | ||||||
| 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect | 	github.com/google/btree v1.1.3 // indirect | ||||||
| 	github.com/golang/protobuf v1.5.4 // indirect | 	github.com/google/cel-go v0.23.2 // indirect | ||||||
| 	github.com/google/gnostic-models v0.6.8 // indirect | 	github.com/google/gnostic-models v0.6.9 // indirect | ||||||
| 	github.com/google/go-cmp v0.6.0 // indirect | 	github.com/google/go-cmp v0.7.0 // indirect | ||||||
| 	github.com/google/gofuzz v1.2.0 // indirect | 	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect | ||||||
| 	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect |  | ||||||
| 	github.com/google/uuid v1.6.0 // indirect | 	github.com/google/uuid v1.6.0 // indirect | ||||||
|  | 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 // indirect | ||||||
| 	github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca // indirect | 	github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca // indirect | ||||||
| 	github.com/imdario/mergo v0.3.16 // indirect | 	github.com/inconshreveable/mousetrap v1.1.0 // indirect | ||||||
| 	github.com/josharian/intern v1.0.0 // indirect | 	github.com/josharian/intern v1.0.0 // indirect | ||||||
| 	github.com/json-iterator/go v1.1.12 // indirect | 	github.com/json-iterator/go v1.1.12 // indirect | ||||||
| 	github.com/mailru/easyjson v0.7.7 // indirect | 	github.com/mailru/easyjson v0.7.7 // indirect | ||||||
| @@ -52,40 +60,57 @@ require ( | |||||||
| 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect | 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect | ||||||
| 	github.com/opentracing/opentracing-go v1.2.0 // indirect | 	github.com/opentracing/opentracing-go v1.2.0 // indirect | ||||||
| 	github.com/pkg/errors v0.9.1 // indirect | 	github.com/pkg/errors v0.9.1 // indirect | ||||||
| 	github.com/pmezard/go-difflib v1.0.0 // indirect | 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect | ||||||
| 	github.com/prometheus/client_golang v1.19.0 // indirect | 	github.com/prometheus/client_golang v1.22.0 // indirect | ||||||
| 	github.com/prometheus/client_model v0.6.0 // indirect | 	github.com/prometheus/client_model v0.6.1 // indirect | ||||||
| 	github.com/prometheus/common v0.51.1 // indirect | 	github.com/prometheus/common v0.62.0 // indirect | ||||||
| 	github.com/prometheus/procfs v0.13.0 // indirect | 	github.com/prometheus/procfs v0.15.1 // indirect | ||||||
|  | 	github.com/spf13/cobra v1.8.1 // indirect | ||||||
| 	github.com/spf13/pflag v1.0.5 // indirect | 	github.com/spf13/pflag v1.0.5 // indirect | ||||||
|  | 	github.com/stoewer/go-strcase v1.3.0 // indirect | ||||||
| 	github.com/stretchr/objx v0.5.2 // indirect | 	github.com/stretchr/objx v0.5.2 // indirect | ||||||
| 	github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834 // indirect | 	github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834 // indirect | ||||||
| 	github.com/tetratelabs/wazero v1.9.0 // indirect | 	github.com/tetratelabs/wazero v1.9.0 // indirect | ||||||
| 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect | 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect | ||||||
| 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect | 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect | ||||||
| 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect | 	github.com/x448/float16 v0.8.4 // indirect | ||||||
|  | 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect | ||||||
|  | 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect | ||||||
|  | 	go.opentelemetry.io/otel v1.33.0 // indirect | ||||||
|  | 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect | ||||||
|  | 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 // indirect | ||||||
|  | 	go.opentelemetry.io/otel/metric v1.33.0 // indirect | ||||||
|  | 	go.opentelemetry.io/otel/sdk v1.33.0 // indirect | ||||||
|  | 	go.opentelemetry.io/otel/trace v1.33.0 // indirect | ||||||
|  | 	go.opentelemetry.io/proto/otlp v1.4.0 // indirect | ||||||
| 	go.uber.org/atomic v1.11.0 // indirect | 	go.uber.org/atomic v1.11.0 // indirect | ||||||
| 	go.uber.org/multierr v1.11.0 // indirect | 	go.uber.org/multierr v1.11.0 // indirect | ||||||
| 	go.uber.org/zap v1.27.0 // indirect | 	go.uber.org/zap v1.27.0 // indirect | ||||||
| 	golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81 // indirect | 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect | ||||||
| 	golang.org/x/net v0.41.0 // indirect | 	golang.org/x/net v0.41.0 // indirect | ||||||
| 	golang.org/x/oauth2 v0.30.0 // indirect | 	golang.org/x/oauth2 v0.30.0 // indirect | ||||||
|  | 	golang.org/x/sync v0.15.0 // indirect | ||||||
| 	golang.org/x/sys v0.33.0 // indirect | 	golang.org/x/sys v0.33.0 // indirect | ||||||
| 	golang.org/x/term v0.32.0 // indirect | 	golang.org/x/term v0.32.0 // indirect | ||||||
| 	golang.org/x/text v0.26.0 // indirect | 	golang.org/x/text v0.26.0 // indirect | ||||||
| 	golang.org/x/time v0.5.0 // indirect | 	golang.org/x/time v0.9.0 // indirect | ||||||
| 	golang.org/x/tools v0.33.0 // indirect | 	golang.org/x/tools v0.33.0 // indirect | ||||||
| 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect | 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect | ||||||
| 	google.golang.org/protobuf v1.34.2 // indirect | 	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect | ||||||
|  | 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect | ||||||
|  | 	google.golang.org/grpc v1.68.1 // indirect | ||||||
|  | 	google.golang.org/protobuf v1.36.5 // indirect | ||||||
|  | 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect | ||||||
| 	gopkg.in/inf.v0 v0.9.1 // indirect | 	gopkg.in/inf.v0 v0.9.1 // indirect | ||||||
| 	gopkg.in/yaml.v2 v2.4.0 // indirect |  | ||||||
| 	gopkg.in/yaml.v3 v3.0.1 // indirect | 	gopkg.in/yaml.v3 v3.0.1 // indirect | ||||||
| 	k8s.io/apiextensions-apiserver v0.29.3 // indirect | 	k8s.io/apiserver v0.33.0 // indirect | ||||||
| 	k8s.io/component-base v0.29.3 // indirect | 	k8s.io/component-base v0.33.0 // indirect | ||||||
| 	k8s.io/klog/v2 v2.120.1 // indirect | 	k8s.io/klog/v2 v2.130.1 // indirect | ||||||
| 	k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940 // indirect | 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect | ||||||
| 	k8s.io/utils v0.0.0-20240310230437-4693a0247e57 // indirect | 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect | ||||||
| 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect | 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect | ||||||
| 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect | 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect | ||||||
|  | 	sigs.k8s.io/randfill v1.0.0 // indirect | ||||||
|  | 	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect | ||||||
| 	sigs.k8s.io/yaml v1.4.0 // indirect | 	sigs.k8s.io/yaml v1.4.0 // indirect | ||||||
| ) | ) | ||||||
|   | |||||||
							
								
								
									
										204
									
								
								go.sum
									
									
									
									
									
								
							
							
						
						
									
										204
									
								
								go.sum
									
									
									
									
									
								
							| @@ -1,33 +1,47 @@ | |||||||
|  | cel.dev/expr v0.19.1 h1:NciYrtDRIR0lNCnH1LFJegdjspNx9fI59O7TWcua/W4= | ||||||
|  | cel.dev/expr v0.19.1/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= | ||||||
| github.com/1Password/connect-sdk-go v1.5.3 h1:KyjJ+kCKj6BwB2Y8tPM1Ixg5uIS6HsB0uWA8U38p/Uk= | github.com/1Password/connect-sdk-go v1.5.3 h1:KyjJ+kCKj6BwB2Y8tPM1Ixg5uIS6HsB0uWA8U38p/Uk= | ||||||
| github.com/1Password/connect-sdk-go v1.5.3/go.mod h1:5rSymY4oIYtS4G3t0oMkGAXBeoYiukV3vkqlnEjIDJs= | github.com/1Password/connect-sdk-go v1.5.3/go.mod h1:5rSymY4oIYtS4G3t0oMkGAXBeoYiukV3vkqlnEjIDJs= | ||||||
| github.com/1password/onepassword-sdk-go v0.3.1 h1:dz0LrYuIh/HrZ7rxr8NMymikNLBIXhyj4NBmo5Tdamc= | github.com/1password/onepassword-sdk-go v0.3.1 h1:dz0LrYuIh/HrZ7rxr8NMymikNLBIXhyj4NBmo5Tdamc= | ||||||
| github.com/1password/onepassword-sdk-go v0.3.1/go.mod h1:kssODrGGqHtniqPR91ZPoCMEo79mKulKat7RaD1bunk= | github.com/1password/onepassword-sdk-go v0.3.1/go.mod h1:kssODrGGqHtniqPR91ZPoCMEo79mKulKat7RaD1bunk= | ||||||
| github.com/HdrHistogram/hdrhistogram-go v1.1.2 h1:5IcZpTvzydCQeHzK4Ef/D5rrSqwxob0t8PQPMybUNFM= | github.com/HdrHistogram/hdrhistogram-go v1.1.2 h1:5IcZpTvzydCQeHzK4Ef/D5rrSqwxob0t8PQPMybUNFM= | ||||||
| github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo= | github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo= | ||||||
|  | github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= | ||||||
|  | github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= | ||||||
| github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= | github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= | ||||||
| github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= | github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= | ||||||
| github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= | github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= | ||||||
| github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= | github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= | ||||||
| github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= | github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= | ||||||
| github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= | github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= | ||||||
| github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= | github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= | ||||||
|  | github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= | ||||||
|  | github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= | ||||||
| github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||||||
| github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= |  | ||||||
| github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||||||
|  | github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= | ||||||
|  | github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||||||
| github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a h1:UwSIFv5g5lIvbGgtf3tVwC7Ky9rmMFBp0RMs+6f6YqE= | github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a h1:UwSIFv5g5lIvbGgtf3tVwC7Ky9rmMFBp0RMs+6f6YqE= | ||||||
| github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a/go.mod h1:C8DzXehI4zAbrdlbtOByKX6pfivJTBiV9Jjqv56Yd9Q= | github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a/go.mod h1:C8DzXehI4zAbrdlbtOByKX6pfivJTBiV9Jjqv56Yd9Q= | ||||||
| github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= | github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= | ||||||
| github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= | github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= | ||||||
| github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= | github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= | ||||||
| github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= | github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= | ||||||
| github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= | github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= | ||||||
| github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= | github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= | ||||||
| github.com/extism/go-sdk v1.7.0 h1:yHbSa2JbcF60kjGsYiGEOcClfbknqCJchyh9TRibFWo= | github.com/extism/go-sdk v1.7.0 h1:yHbSa2JbcF60kjGsYiGEOcClfbknqCJchyh9TRibFWo= | ||||||
| github.com/extism/go-sdk v1.7.0/go.mod h1:Dhuc1qcD0aqjdqJ3ZDyGdkZPEj/EHKVjbE4P+1XRMqc= | github.com/extism/go-sdk v1.7.0/go.mod h1:Dhuc1qcD0aqjdqJ3ZDyGdkZPEj/EHKVjbE4P+1XRMqc= | ||||||
|  | github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= | ||||||
|  | github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= | ||||||
| github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= | github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= | ||||||
| github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= | github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= | ||||||
|  | github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= | ||||||
|  | github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= | ||||||
|  | github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= | ||||||
| github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= | github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= | ||||||
| github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= | github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= | ||||||
|  | github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= | ||||||
|  | github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= | ||||||
| github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= | github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= | ||||||
| github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= | github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= | ||||||
| github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= | github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= | ||||||
| @@ -36,43 +50,50 @@ github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF | |||||||
| github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= | github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= | ||||||
| github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= | github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= | ||||||
| github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= | github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= | ||||||
| github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= | github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= | ||||||
| github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= | github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= | ||||||
| github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= | github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= | ||||||
| github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= | github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= | ||||||
| github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= | github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= | ||||||
| github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= | github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= | ||||||
| github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= |  | ||||||
| github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= |  | ||||||
| github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= | github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= | ||||||
| github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= | github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= | ||||||
| github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= | github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= | ||||||
| github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= | github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= | ||||||
|  | github.com/google/cel-go v0.23.2 h1:UdEe3CvQh3Nv+E/j9r1Y//WO0K0cSyD7/y0bzyLIMI4= | ||||||
|  | github.com/google/cel-go v0.23.2/go.mod h1:52Pb6QsDbC5kvgxvZhiL9QX1oZEkcUF/ZqaPx1J5Wwo= | ||||||
|  | github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= | ||||||
|  | github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= | ||||||
| github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= | github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= | ||||||
| github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= | github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= | ||||||
| github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= | github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= | ||||||
| github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= | github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= | ||||||
| github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= | github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= | ||||||
| github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= | github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= | ||||||
| github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= | github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo= | ||||||
| github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= | github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= | ||||||
| github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= | github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= | ||||||
| github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= | github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= | ||||||
| github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= | github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 h1:TmHmbvxPmaegwhDubVz0lICL0J5Ka2vwTzhoePEXsGE= | ||||||
|  | github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0/go.mod h1:qztMSjm835F2bXf+5HKAPIS5qsmQDqZna/PgVt4rWtI= | ||||||
| github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca h1:T54Ema1DU8ngI+aef9ZhAhNGQhcRTrWxVeG07F+c/Rw= | github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca h1:T54Ema1DU8ngI+aef9ZhAhNGQhcRTrWxVeG07F+c/Rw= | ||||||
| github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw= | github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw= | ||||||
| github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= | github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= | ||||||
| github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= | github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= | ||||||
| github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= | github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= | ||||||
| github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= | github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= | ||||||
| github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= | github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= | ||||||
| github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= | github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= | ||||||
| github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= | github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= | ||||||
| github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= | ||||||
|  | github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= | ||||||
|  | github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= | ||||||
| github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= | github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= | ||||||
| github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= | github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= | ||||||
| github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= | ||||||
| github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= | ||||||
|  | github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= | ||||||
|  | github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= | ||||||
| github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= | github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= | ||||||
| github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= | github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= | ||||||
| github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= | github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= | ||||||
| @@ -82,33 +103,43 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G | |||||||
| github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= | github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= | ||||||
| github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= | ||||||
| github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= | ||||||
| github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= | github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg= | ||||||
| github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= | github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= | ||||||
| github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= | github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw= | ||||||
| github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= | github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= | ||||||
| github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= | github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= | ||||||
| github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= | github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= | ||||||
| github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= | github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= | ||||||
| github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= | ||||||
| github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= |  | ||||||
| github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= | ||||||
| github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU= | github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= | ||||||
| github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k= | github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= | ||||||
| github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos= | github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q= | ||||||
| github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8= | github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= | ||||||
| github.com/prometheus/common v0.51.1 h1:eIjN50Bwglz6a/c3hAgSMcofL3nD+nFQkV6Dd4DsQCw= | github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= | ||||||
| github.com/prometheus/common v0.51.1/go.mod h1:lrWtQx+iDfn2mbH5GUzlH9TSHyfZpHkSiG1W7y3sF2Q= | github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= | ||||||
| github.com/prometheus/procfs v0.13.0 h1:GqzLlQyfsPbaEHaQkO7tbDlriv/4o5Hudv6OXHGKX7o= | github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io= | ||||||
| github.com/prometheus/procfs v0.13.0/go.mod h1:cd4PFCR54QLnGKPaKGA6l+cfuNXtht43ZKY6tow0Y1g= | github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I= | ||||||
| github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= | github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= | ||||||
| github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= | github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= | ||||||
|  | github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= | ||||||
|  | github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= | ||||||
|  | github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= | ||||||
|  | github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= | ||||||
|  | github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= | ||||||
| github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= | github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= | ||||||
| github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= | github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= | ||||||
|  | github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= | ||||||
|  | github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= | ||||||
| github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= | ||||||
|  | github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= | ||||||
|  | github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= | ||||||
| github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= | github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= | ||||||
| github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= | github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= | ||||||
| github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= | ||||||
| github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= | github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= | ||||||
|  | github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= | ||||||
|  | github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= | ||||||
| github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= | github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= | ||||||
| github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= | github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= | ||||||
| github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834 h1:ZF+QBjOI+tILZjBaFj3HgFonKXUcwgJ4djLb6i42S3Q= | github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834 h1:ZF+QBjOI+tILZjBaFj3HgFonKXUcwgJ4djLb6i42S3Q= | ||||||
| @@ -119,10 +150,28 @@ github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaO | |||||||
| github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk= | github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk= | ||||||
| github.com/uber/jaeger-lib v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVKhn2Um6rjCsSsg= | github.com/uber/jaeger-lib v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVKhn2Um6rjCsSsg= | ||||||
| github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U= | github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U= | ||||||
|  | github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= | ||||||
|  | github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= | ||||||
| github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= | github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= | ||||||
| github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= | github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= | ||||||
| go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= | go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= | ||||||
| go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= | go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= | ||||||
|  | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU= | ||||||
|  | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q= | ||||||
|  | go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw= | ||||||
|  | go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I= | ||||||
|  | go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 h1:Vh5HayB/0HHfOQA7Ctx69E/Y/DcQSMPpKANYVMQ7fBA= | ||||||
|  | go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0/go.mod h1:cpgtDBaqD/6ok/UG0jT15/uKjAY8mRA53diogHBg3UI= | ||||||
|  | go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 h1:5pojmb1U1AogINhN3SurB+zm/nIcusopeBNp42f45QM= | ||||||
|  | go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0/go.mod h1:57gTHJSE5S1tqg+EKsLPlTWhpHMsWlVmer+LA926XiA= | ||||||
|  | go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ= | ||||||
|  | go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M= | ||||||
|  | go.opentelemetry.io/otel/sdk v1.33.0 h1:iax7M131HuAm9QkZotNHEfstof92xM+N8sr3uHXc2IM= | ||||||
|  | go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM= | ||||||
|  | go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s= | ||||||
|  | go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck= | ||||||
|  | go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg= | ||||||
|  | go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY= | ||||||
| go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= | go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= | ||||||
| go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= | go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= | ||||||
| go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= | go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= | ||||||
| @@ -134,8 +183,8 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= | |||||||
| golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= | ||||||
| golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= | golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= | ||||||
| golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= | ||||||
| golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81 h1:6R2FC06FonbXQ8pK11/PDFY6N6LWlf9KlzibaCapmqc= | golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= | ||||||
| golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81/go.mod h1:CQ1k9gNrJ50XIzaKCRR2hssIjF07kZFEiieALBM/ARQ= | golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= | ||||||
| golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= | golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= | ||||||
| golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= | golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= | ||||||
| golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= | ||||||
| @@ -149,9 +198,10 @@ golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKl | |||||||
| golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||||||
| golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||||||
| golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||||||
|  | golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= | ||||||
|  | golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= | ||||||
| golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||||||
| golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||||||
| golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= |  | ||||||
| golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||||||
| golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= | golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= | ||||||
| golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= | golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= | ||||||
| @@ -161,8 +211,8 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= | |||||||
| golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= | ||||||
| golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= | golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= | ||||||
| golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= | golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= | ||||||
| golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= | golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= | ||||||
| golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= | golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= | ||||||
| golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= | ||||||
| golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= | ||||||
| golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= | golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= | ||||||
| @@ -175,42 +225,54 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T | |||||||
| golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= | ||||||
| gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= | gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= | ||||||
| gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= | gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= | ||||||
| google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= | google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 h1:CkkIfIt50+lT6NHAVoRYEyAvQGFM7xEwXUUywFvEb3Q= | ||||||
| google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= | google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576/go.mod h1:1R3kvZ1dtP3+4p4d3G8uJ8rFk/fWlScl38vanWACI08= | ||||||
|  | google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY= | ||||||
|  | google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= | ||||||
|  | google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= | ||||||
|  | google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= | ||||||
|  | google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM= | ||||||
|  | google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= | ||||||
| gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= | ||||||
| gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= | ||||||
| gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= | ||||||
|  | gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= | ||||||
|  | gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= | ||||||
| gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= | gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= | ||||||
| gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= | gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= | ||||||
| gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= |  | ||||||
| gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= |  | ||||||
| gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= |  | ||||||
| gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= | ||||||
| gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= | ||||||
| gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= | ||||||
| k8s.io/api v0.29.3 h1:2ORfZ7+bGC3YJqGpV0KSDDEVf8hdGQ6A03/50vj8pmw= | k8s.io/api v0.33.0 h1:yTgZVn1XEe6opVpP1FylmNrIFWuDqe2H0V8CT5gxfIU= | ||||||
| k8s.io/api v0.29.3/go.mod h1:y2yg2NTyHUUkIoTC+phinTnEa3KFM6RZ3szxt014a80= | k8s.io/api v0.33.0/go.mod h1:CTO61ECK/KU7haa3qq8sarQ0biLq2ju405IZAd9zsiM= | ||||||
| k8s.io/apiextensions-apiserver v0.29.3 h1:9HF+EtZaVpFjStakF4yVufnXGPRppWFEQ87qnO91YeI= | k8s.io/apiextensions-apiserver v0.33.0 h1:d2qpYL7Mngbsc1taA4IjJPRJ9ilnsXIrndH+r9IimOs= | ||||||
| k8s.io/apiextensions-apiserver v0.29.3/go.mod h1:po0XiY5scnpJfFizNGo6puNU6Fq6D70UJY2Cb2KwAVc= | k8s.io/apiextensions-apiserver v0.33.0/go.mod h1:VeJ8u9dEEN+tbETo+lFkwaaZPg6uFKLGj5vyNEwwSzc= | ||||||
| k8s.io/apimachinery v0.29.3 h1:2tbx+5L7RNvqJjn7RIuIKu9XTsIZ9Z5wX2G22XAa5EU= | k8s.io/apimachinery v0.33.0 h1:1a6kHrJxb2hs4t8EE5wuR/WxKDwGN1FKH3JvDtA0CIQ= | ||||||
| k8s.io/apimachinery v0.29.3/go.mod h1:hx/S4V2PNW4OMg3WizRrHutyB5la0iCUbZym+W0EQIU= | k8s.io/apimachinery v0.33.0/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= | ||||||
| k8s.io/client-go v0.29.3 h1:R/zaZbEAxqComZ9FHeQwOh3Y1ZUs7FaHKZdQtIc2WZg= | k8s.io/apiserver v0.33.0 h1:QqcM6c+qEEjkOODHppFXRiw/cE2zP85704YrQ9YaBbc= | ||||||
| k8s.io/client-go v0.29.3/go.mod h1:tkDisCvgPfiRpxGnOORfkljmS+UrW+WtXAy2fTvXJB0= | k8s.io/apiserver v0.33.0/go.mod h1:EixYOit0YTxt8zrO2kBU7ixAtxFce9gKGq367nFmqI8= | ||||||
| k8s.io/component-base v0.29.3 h1:Oq9/nddUxlnrCuuR2K/jp6aflVvc0uDvxMzAWxnGzAo= | k8s.io/client-go v0.33.0 h1:UASR0sAYVUzs2kYuKn/ZakZlcs2bEHaizrrHUZg0G98= | ||||||
| k8s.io/component-base v0.29.3/go.mod h1:Yuj33XXjuOk2BAaHsIGHhCKZQAgYKhqIxIjIr2UXYio= | k8s.io/client-go v0.33.0/go.mod h1:kGkd+l/gNGg8GYWAPr0xF1rRKvVWvzh9vmZAMXtaKOg= | ||||||
| k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= | k8s.io/component-base v0.33.0 h1:Ot4PyJI+0JAD9covDhwLp9UNkUja209OzsJ4FzScBNk= | ||||||
| k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= | k8s.io/component-base v0.33.0/go.mod h1:aXYZLbw3kihdkOPMDhWbjGCO6sg+luw554KP51t8qCU= | ||||||
| k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940 h1:qVoMaQV5t62UUvHe16Q3eb2c5HPzLHYzsi0Tu/xLndo= | k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= | ||||||
| k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= | k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= | ||||||
|  | k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= | ||||||
|  | k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= | ||||||
| k8s.io/kubectl v0.29.0 h1:Oqi48gXjikDhrBF67AYuZRTcJV4lg2l42GmvsP7FmYI= | k8s.io/kubectl v0.29.0 h1:Oqi48gXjikDhrBF67AYuZRTcJV4lg2l42GmvsP7FmYI= | ||||||
| k8s.io/kubectl v0.29.0/go.mod h1:0jMjGWIcMIQzmUaMgAzhSELv5WtHo2a8pq67DtviAJs= | k8s.io/kubectl v0.29.0/go.mod h1:0jMjGWIcMIQzmUaMgAzhSELv5WtHo2a8pq67DtviAJs= | ||||||
| k8s.io/utils v0.0.0-20240310230437-4693a0247e57 h1:gbqbevonBh57eILzModw6mrkbwM0gQBEuevE/AaBsHY= | k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro= | ||||||
| k8s.io/utils v0.0.0-20240310230437-4693a0247e57/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= | k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= | ||||||
| sigs.k8s.io/controller-runtime v0.17.2 h1:FwHwD1CTUemg0pW2otk7/U5/i5m2ymzvOXdbeGOUvw0= | sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM= | ||||||
| sigs.k8s.io/controller-runtime v0.17.2/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= | sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= | ||||||
| sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= | sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8= | ||||||
| sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= | sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM= | ||||||
| sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= | sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8= | ||||||
| sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= | sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= | ||||||
|  | sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= | ||||||
|  | sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= | ||||||
|  | sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= | ||||||
|  | sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc= | ||||||
|  | sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= | ||||||
| sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= | sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= | ||||||
| sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= | sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= | ||||||
|   | |||||||
| @@ -59,9 +59,9 @@ type DeploymentReconciler struct { | |||||||
| 	OpAnnotationRegExp *regexp.Regexp | 	OpAnnotationRegExp *regexp.Regexp | ||||||
| } | } | ||||||
|  |  | ||||||
| //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete | // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete | ||||||
| //+kubebuilder:rbac:groups=apps,resources=deployments/status,verbs=get;update;patch | // +kubebuilder:rbac:groups=apps,resources=deployments/status,verbs=get;update;patch | ||||||
| //+kubebuilder:rbac:groups=apps,resources=deployments/finalizers,verbs=update | // +kubebuilder:rbac:groups=apps,resources=deployments/finalizers,verbs=update | ||||||
|  |  | ||||||
| // Reconcile is part of the main kubernetes reconciliation loop which aims to | // Reconcile is part of the main kubernetes reconciliation loop which aims to | ||||||
| // move the current state of the cluster closer to the desired state. | // move the current state of the cluster closer to the desired state. | ||||||
| @@ -91,12 +91,12 @@ func (r *DeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Request) | |||||||
| 		return ctrl.Result{}, nil | 		return ctrl.Result{}, nil | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	//If the deployment is not being deleted | 	// If the deployment is not being deleted | ||||||
| 	if deployment.ObjectMeta.DeletionTimestamp.IsZero() { | 	if deployment.DeletionTimestamp.IsZero() { | ||||||
| 		// Adds a finalizer to the deployment if one does not exist. | 		// Adds a finalizer to the deployment if one does not exist. | ||||||
| 		// This is so we can handle cleanup of associated secrets properly | 		// This is so we can handle cleanup of associated secrets properly | ||||||
| 		if !utils.ContainsString(deployment.ObjectMeta.Finalizers, finalizer) { | 		if !utils.ContainsString(deployment.Finalizers, finalizer) { | ||||||
| 			deployment.ObjectMeta.Finalizers = append(deployment.ObjectMeta.Finalizers, finalizer) | 			deployment.Finalizers = append(deployment.Finalizers, finalizer) | ||||||
| 			if err = r.Update(ctx, deployment); err != nil { | 			if err = r.Update(ctx, deployment); err != nil { | ||||||
| 				return reconcile.Result{}, err | 				return reconcile.Result{}, err | ||||||
| 			} | 			} | ||||||
| @@ -114,7 +114,7 @@ func (r *DeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Request) | |||||||
| 	} | 	} | ||||||
| 	// The deployment has been marked for deletion. If the one password | 	// The deployment has been marked for deletion. If the one password | ||||||
| 	// finalizer is found there are cleanup tasks to perform | 	// finalizer is found there are cleanup tasks to perform | ||||||
| 	if utils.ContainsString(deployment.ObjectMeta.Finalizers, finalizer) { | 	if utils.ContainsString(deployment.Finalizers, finalizer) { | ||||||
|  |  | ||||||
| 		secretName := annotations[op.NameAnnotation] | 		secretName := annotations[op.NameAnnotation] | ||||||
| 		if err = r.cleanupKubernetesSecretForDeployment(ctx, secretName, deployment); err != nil { | 		if err = r.cleanupKubernetesSecretForDeployment(ctx, secretName, deployment); err != nil { | ||||||
| @@ -133,13 +133,14 @@ func (r *DeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Request) | |||||||
| func (r *DeploymentReconciler) SetupWithManager(mgr ctrl.Manager) error { | func (r *DeploymentReconciler) SetupWithManager(mgr ctrl.Manager) error { | ||||||
| 	return ctrl.NewControllerManagedBy(mgr). | 	return ctrl.NewControllerManagedBy(mgr). | ||||||
| 		For(&appsv1.Deployment{}). | 		For(&appsv1.Deployment{}). | ||||||
|  | 		Named("onepassword-deployment"). | ||||||
| 		Complete(r) | 		Complete(r) | ||||||
| } | } | ||||||
|  |  | ||||||
| func (r *DeploymentReconciler) cleanupKubernetesSecretForDeployment(ctx context.Context, secretName string, deletedDeployment *appsv1.Deployment) error { | func (r *DeploymentReconciler) cleanupKubernetesSecretForDeployment(ctx context.Context, secretName string, deletedDeployment *appsv1.Deployment) error { | ||||||
| 	kubernetesSecret := &corev1.Secret{} | 	kubernetesSecret := &corev1.Secret{} | ||||||
| 	kubernetesSecret.ObjectMeta.Name = secretName | 	kubernetesSecret.Name = secretName | ||||||
| 	kubernetesSecret.ObjectMeta.Namespace = deletedDeployment.Namespace | 	kubernetesSecret.Namespace = deletedDeployment.Namespace | ||||||
|  |  | ||||||
| 	if len(secretName) == 0 { | 	if len(secretName) == 0 { | ||||||
| 		return nil | 		return nil | ||||||
| @@ -185,7 +186,7 @@ func (r *DeploymentReconciler) areMultipleDeploymentsUsingSecret(ctx context.Con | |||||||
| } | } | ||||||
|  |  | ||||||
| func (r *DeploymentReconciler) removeOnePasswordFinalizerFromDeployment(ctx context.Context, deployment *appsv1.Deployment) error { | func (r *DeploymentReconciler) removeOnePasswordFinalizerFromDeployment(ctx context.Context, deployment *appsv1.Deployment) error { | ||||||
| 	deployment.ObjectMeta.Finalizers = utils.RemoveString(deployment.ObjectMeta.Finalizers, finalizer) | 	deployment.Finalizers = utils.RemoveString(deployment.Finalizers, finalizer) | ||||||
| 	return r.Update(ctx, deployment) | 	return r.Update(ctx, deployment) | ||||||
| } | } | ||||||
|  |  | ||||||
|   | |||||||
| @@ -82,10 +82,7 @@ var _ = Describe("Deployment controller", func() { | |||||||
| 		time.Sleep(time.Millisecond * 100) | 		time.Sleep(time.Millisecond * 100) | ||||||
| 		Eventually(func() bool { | 		Eventually(func() bool { | ||||||
| 			err := k8sClient.Get(ctx, secretKey, createdSecret) | 			err := k8sClient.Get(ctx, secretKey, createdSecret) | ||||||
| 			if err != nil { | 			return err == nil | ||||||
| 				return false |  | ||||||
| 			} |  | ||||||
| 			return true |  | ||||||
| 		}, timeout, interval).Should(BeTrue()) | 		}, timeout, interval).Should(BeTrue()) | ||||||
| 		Expect(createdSecret.Data).Should(Equal(item1.SecretData)) | 		Expect(createdSecret.Data).Should(Equal(item1.SecretData)) | ||||||
| 	} | 	} | ||||||
| @@ -190,10 +187,7 @@ var _ = Describe("Deployment controller", func() { | |||||||
| 			updatedSecret := &v1.Secret{} | 			updatedSecret := &v1.Secret{} | ||||||
| 			Eventually(func() bool { | 			Eventually(func() bool { | ||||||
| 				err := k8sClient.Get(ctx, secretKey, updatedSecret) | 				err := k8sClient.Get(ctx, secretKey, updatedSecret) | ||||||
| 				if err != nil { | 				return err == nil | ||||||
| 					return false |  | ||||||
| 				} |  | ||||||
| 				return true |  | ||||||
| 			}, timeout, interval).Should(BeTrue()) | 			}, timeout, interval).Should(BeTrue()) | ||||||
| 			Expect(updatedSecret.Data).Should(Equal(item2.SecretData)) | 			Expect(updatedSecret.Data).Should(Equal(item2.SecretData)) | ||||||
| 		}) | 		}) | ||||||
| @@ -247,10 +241,7 @@ var _ = Describe("Deployment controller", func() { | |||||||
| 			updatedSecret := &v1.Secret{} | 			updatedSecret := &v1.Secret{} | ||||||
| 			Eventually(func() bool { | 			Eventually(func() bool { | ||||||
| 				err := k8sClient.Get(ctx, secretKey, updatedSecret) | 				err := k8sClient.Get(ctx, secretKey, updatedSecret) | ||||||
| 				if err != nil { | 				return err == nil | ||||||
| 					return false |  | ||||||
| 				} |  | ||||||
| 				return true |  | ||||||
| 			}, timeout, interval).Should(BeTrue()) | 			}, timeout, interval).Should(BeTrue()) | ||||||
| 			Expect(updatedSecret.Data).Should(Equal(item1.SecretData)) | 			Expect(updatedSecret.Data).Should(Equal(item1.SecretData)) | ||||||
| 		}) | 		}) | ||||||
|   | |||||||
| @@ -57,18 +57,18 @@ type OnePasswordItemReconciler struct { | |||||||
| 	OpClient opclient.Client | 	OpClient opclient.Client | ||||||
| } | } | ||||||
|  |  | ||||||
| //+kubebuilder:rbac:groups=onepassword.com,resources=onepassworditems,verbs=get;list;watch;create;update;patch;delete | // +kubebuilder:rbac:groups=onepassword.com,resources=onepassworditems,verbs=get;list;watch;create;update;patch;delete | ||||||
| //+kubebuilder:rbac:groups=onepassword.com,resources=onepassworditems/status,verbs=get;update;patch | // +kubebuilder:rbac:groups=onepassword.com,resources=onepassworditems/status,verbs=get;update;patch | ||||||
| //+kubebuilder:rbac:groups=onepassword.com,resources=onepassworditems/finalizers,verbs=update | // +kubebuilder:rbac:groups=onepassword.com,resources=onepassworditems/finalizers,verbs=update | ||||||
|  |  | ||||||
| //+kubebuilder:rbac:groups="",resources=pods,verbs=get | // +kubebuilder:rbac:groups="",resources=pods,verbs=get | ||||||
| //+kubebuilder:rbac:groups="",resources=pods;services;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets;namespaces,verbs=get;list;watch;create;update;patch;delete | // +kubebuilder:rbac:groups="",resources=pods;services;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets;namespaces,verbs=get;list;watch;create;update;patch;delete | ||||||
| //+kubebuilder:rbac:groups=apps,resources=daemonsets;deployments;replicasets;statefulsets,verbs=get;list;watch;create;update;patch;delete | // +kubebuilder:rbac:groups=apps,resources=daemonsets;deployments;replicasets;statefulsets,verbs=get;list;watch;create;update;patch;delete | ||||||
| //+kubebuilder:rbac:groups=apps,resources=replicasets;deployments,verbs=get | // +kubebuilder:rbac:groups=apps,resources=replicasets;deployments,verbs=get | ||||||
| //+kubebuilder:rbac:groups=apps,resourceNames=onepassword-connect-operator,resources=deployments/finalizers,verbs=update | // +kubebuilder:rbac:groups=apps,resourceNames=onepassword-connect-operator,resources=deployments/finalizers,verbs=update | ||||||
| //+kubebuilder:rbac:groups=onepassword.com,resources=*,verbs=get;list;watch;create;update;patch;delete | // +kubebuilder:rbac:groups=onepassword.com,resources=*,verbs=get;list;watch;create;update;patch;delete | ||||||
| //+kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;create | // +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;create | ||||||
| //+kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;create;update | // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;create;update | ||||||
|  |  | ||||||
| // Reconcile is part of the main kubernetes reconciliation loop which aims to | // Reconcile is part of the main kubernetes reconciliation loop which aims to | ||||||
| // move the current state of the cluster closer to the desired state. | // move the current state of the cluster closer to the desired state. | ||||||
| @@ -93,11 +93,11 @@ func (r *OnePasswordItemReconciler) Reconcile(ctx context.Context, req ctrl.Requ | |||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	// If the deployment is not being deleted | 	// If the deployment is not being deleted | ||||||
| 	if onepassworditem.ObjectMeta.DeletionTimestamp.IsZero() { | 	if onepassworditem.DeletionTimestamp.IsZero() { | ||||||
| 		// Adds a finalizer to the deployment if one does not exist. | 		// Adds a finalizer to the deployment if one does not exist. | ||||||
| 		// This is so we can handle cleanup of associated secrets properly | 		// This is so we can handle cleanup of associated secrets properly | ||||||
| 		if !utils.ContainsString(onepassworditem.ObjectMeta.Finalizers, finalizer) { | 		if !utils.ContainsString(onepassworditem.Finalizers, finalizer) { | ||||||
| 			onepassworditem.ObjectMeta.Finalizers = append(onepassworditem.ObjectMeta.Finalizers, finalizer) | 			onepassworditem.Finalizers = append(onepassworditem.Finalizers, finalizer) | ||||||
| 			if err = r.Update(ctx, onepassworditem); err != nil { | 			if err = r.Update(ctx, onepassworditem); err != nil { | ||||||
| 				return ctrl.Result{}, err | 				return ctrl.Result{}, err | ||||||
| 			} | 			} | ||||||
| @@ -117,7 +117,7 @@ func (r *OnePasswordItemReconciler) Reconcile(ctx context.Context, req ctrl.Requ | |||||||
| 		return ctrl.Result{}, err | 		return ctrl.Result{}, err | ||||||
| 	} | 	} | ||||||
| 	// If one password finalizer exists then we must cleanup associated secrets | 	// If one password finalizer exists then we must cleanup associated secrets | ||||||
| 	if utils.ContainsString(onepassworditem.ObjectMeta.Finalizers, finalizer) { | 	if utils.ContainsString(onepassworditem.Finalizers, finalizer) { | ||||||
|  |  | ||||||
| 		// Delete associated kubernetes secret | 		// Delete associated kubernetes secret | ||||||
| 		if err = r.cleanupKubernetesSecret(ctx, onepassworditem); err != nil { | 		if err = r.cleanupKubernetesSecret(ctx, onepassworditem); err != nil { | ||||||
| @@ -125,7 +125,7 @@ func (r *OnePasswordItemReconciler) Reconcile(ctx context.Context, req ctrl.Requ | |||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		// Remove finalizer now that cleanup is complete | 		// Remove finalizer now that cleanup is complete | ||||||
| 		if err = r.removeFinalizer(ctx, onepassworditem); err != nil { | 		if err = r.removeOnePasswordFinalizerFromOnePasswordItem(ctx, onepassworditem); err != nil { | ||||||
| 			return ctrl.Result{}, err | 			return ctrl.Result{}, err | ||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
| @@ -136,21 +136,14 @@ func (r *OnePasswordItemReconciler) Reconcile(ctx context.Context, req ctrl.Requ | |||||||
| func (r *OnePasswordItemReconciler) SetupWithManager(mgr ctrl.Manager) error { | func (r *OnePasswordItemReconciler) SetupWithManager(mgr ctrl.Manager) error { | ||||||
| 	return ctrl.NewControllerManagedBy(mgr). | 	return ctrl.NewControllerManagedBy(mgr). | ||||||
| 		For(&onepasswordv1.OnePasswordItem{}). | 		For(&onepasswordv1.OnePasswordItem{}). | ||||||
|  | 		Named("onepassworditem"). | ||||||
| 		Complete(r) | 		Complete(r) | ||||||
| } | } | ||||||
|  |  | ||||||
| func (r *OnePasswordItemReconciler) removeFinalizer(ctx context.Context, onePasswordItem *onepasswordv1.OnePasswordItem) error { |  | ||||||
| 	onePasswordItem.ObjectMeta.Finalizers = utils.RemoveString(onePasswordItem.ObjectMeta.Finalizers, finalizer) |  | ||||||
| 	if err := r.Update(ctx, onePasswordItem); err != nil { |  | ||||||
| 		return err |  | ||||||
| 	} |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (r *OnePasswordItemReconciler) cleanupKubernetesSecret(ctx context.Context, onePasswordItem *onepasswordv1.OnePasswordItem) error { | func (r *OnePasswordItemReconciler) cleanupKubernetesSecret(ctx context.Context, onePasswordItem *onepasswordv1.OnePasswordItem) error { | ||||||
| 	kubernetesSecret := &corev1.Secret{} | 	kubernetesSecret := &corev1.Secret{} | ||||||
| 	kubernetesSecret.ObjectMeta.Name = onePasswordItem.Name | 	kubernetesSecret.Name = onePasswordItem.Name | ||||||
| 	kubernetesSecret.ObjectMeta.Namespace = onePasswordItem.Namespace | 	kubernetesSecret.Namespace = onePasswordItem.Namespace | ||||||
|  |  | ||||||
| 	if err := r.Delete(ctx, kubernetesSecret); err != nil { | 	if err := r.Delete(ctx, kubernetesSecret); err != nil { | ||||||
| 		if !errors.IsNotFound(err) { | 		if !errors.IsNotFound(err) { | ||||||
| @@ -160,12 +153,12 @@ func (r *OnePasswordItemReconciler) cleanupKubernetesSecret(ctx context.Context, | |||||||
| 	return nil | 	return nil | ||||||
| } | } | ||||||
|  |  | ||||||
| func (r *OnePasswordItemReconciler) removeOnePasswordFinalizerFromOnePasswordItem(ctx context.Context, opSecret *onepasswordv1.OnePasswordItem) error { | func (r *OnePasswordItemReconciler) removeOnePasswordFinalizerFromOnePasswordItem(ctx context.Context, onePasswordItem *onepasswordv1.OnePasswordItem) error { | ||||||
| 	opSecret.ObjectMeta.Finalizers = utils.RemoveString(opSecret.ObjectMeta.Finalizers, finalizer) | 	onePasswordItem.Finalizers = utils.RemoveString(onePasswordItem.Finalizers, finalizer) | ||||||
| 	return r.Update(ctx, opSecret) | 	return r.Update(ctx, onePasswordItem) | ||||||
| } | } | ||||||
|  |  | ||||||
| func (r *OnePasswordItemReconciler) handleOnePasswordItem(ctx context.Context, resource *onepasswordv1.OnePasswordItem, req ctrl.Request) error { | func (r *OnePasswordItemReconciler) handleOnePasswordItem(ctx context.Context, resource *onepasswordv1.OnePasswordItem, _ ctrl.Request) error { | ||||||
| 	secretName := resource.GetName() | 	secretName := resource.GetName() | ||||||
| 	labels := resource.Labels | 	labels := resource.Labels | ||||||
| 	secretType := resource.Type | 	secretType := resource.Type | ||||||
|   | |||||||
| @@ -3,6 +3,7 @@ package controller | |||||||
| import ( | import ( | ||||||
| 	"context" | 	"context" | ||||||
| 	"fmt" | 	"fmt" | ||||||
|  |  | ||||||
| 	. "github.com/onsi/ginkgo/v2" | 	. "github.com/onsi/ginkgo/v2" | ||||||
| 	. "github.com/onsi/gomega" | 	. "github.com/onsi/gomega" | ||||||
|  |  | ||||||
| @@ -60,20 +61,14 @@ var _ = Describe("OnePasswordItem controller", func() { | |||||||
| 			created := &onepasswordv1.OnePasswordItem{} | 			created := &onepasswordv1.OnePasswordItem{} | ||||||
| 			Eventually(func() bool { | 			Eventually(func() bool { | ||||||
| 				err := k8sClient.Get(ctx, key, created) | 				err := k8sClient.Get(ctx, key, created) | ||||||
| 				if err != nil { | 				return err == nil | ||||||
| 					return false |  | ||||||
| 				} |  | ||||||
| 				return true |  | ||||||
| 			}, timeout, interval).Should(BeTrue()) | 			}, timeout, interval).Should(BeTrue()) | ||||||
|  |  | ||||||
| 			By("Creating the K8s secret successfully") | 			By("Creating the K8s secret successfully") | ||||||
| 			createdSecret := &v1.Secret{} | 			createdSecret := &v1.Secret{} | ||||||
| 			Eventually(func() bool { | 			Eventually(func() bool { | ||||||
| 				err := k8sClient.Get(ctx, key, createdSecret) | 				err := k8sClient.Get(ctx, key, createdSecret) | ||||||
| 				if err != nil { | 				return err == nil | ||||||
| 					return false |  | ||||||
| 				} |  | ||||||
| 				return true |  | ||||||
| 			}, timeout, interval).Should(BeTrue()) | 			}, timeout, interval).Should(BeTrue()) | ||||||
| 			Expect(createdSecret.Data).Should(Equal(item1.SecretData)) | 			Expect(createdSecret.Data).Should(Equal(item1.SecretData)) | ||||||
|  |  | ||||||
| @@ -101,10 +96,7 @@ var _ = Describe("OnePasswordItem controller", func() { | |||||||
| 			updatedSecret := &v1.Secret{} | 			updatedSecret := &v1.Secret{} | ||||||
| 			Eventually(func() bool { | 			Eventually(func() bool { | ||||||
| 				err := k8sClient.Get(ctx, key, updatedSecret) | 				err := k8sClient.Get(ctx, key, updatedSecret) | ||||||
| 				if err != nil { | 				return err == nil | ||||||
| 					return false |  | ||||||
| 				} |  | ||||||
| 				return true |  | ||||||
| 			}, timeout, interval).Should(BeTrue()) | 			}, timeout, interval).Should(BeTrue()) | ||||||
| 			Expect(updatedSecret.Data).Should(Equal(newDataByte)) | 			Expect(updatedSecret.Data).Should(Equal(newDataByte)) | ||||||
|  |  | ||||||
| @@ -175,20 +167,14 @@ var _ = Describe("OnePasswordItem controller", func() { | |||||||
| 			created := &onepasswordv1.OnePasswordItem{} | 			created := &onepasswordv1.OnePasswordItem{} | ||||||
| 			Eventually(func() bool { | 			Eventually(func() bool { | ||||||
| 				err := k8sClient.Get(ctx, key, created) | 				err := k8sClient.Get(ctx, key, created) | ||||||
| 				if err != nil { | 				return err == nil | ||||||
| 					return false |  | ||||||
| 				} |  | ||||||
| 				return true |  | ||||||
| 			}, timeout, interval).Should(BeTrue()) | 			}, timeout, interval).Should(BeTrue()) | ||||||
|  |  | ||||||
| 			By("Creating the K8s secret successfully") | 			By("Creating the K8s secret successfully") | ||||||
| 			createdSecret := &v1.Secret{} | 			createdSecret := &v1.Secret{} | ||||||
| 			Eventually(func() bool { | 			Eventually(func() bool { | ||||||
| 				err := k8sClient.Get(ctx, key, createdSecret) | 				err := k8sClient.Get(ctx, key, createdSecret) | ||||||
| 				if err != nil { | 				return err == nil | ||||||
| 					return false |  | ||||||
| 				} |  | ||||||
| 				return true |  | ||||||
| 			}, timeout, interval).Should(BeTrue()) | 			}, timeout, interval).Should(BeTrue()) | ||||||
| 			Expect(createdSecret.Data).Should(Equal(expectedData)) | 			Expect(createdSecret.Data).Should(Equal(expectedData)) | ||||||
|  |  | ||||||
| @@ -297,10 +283,7 @@ var _ = Describe("OnePasswordItem controller", func() { | |||||||
| 			secret := &v1.Secret{} | 			secret := &v1.Secret{} | ||||||
| 			Eventually(func() bool { | 			Eventually(func() bool { | ||||||
| 				err := k8sClient.Get(ctx, key, secret) | 				err := k8sClient.Get(ctx, key, secret) | ||||||
| 				if err != nil { | 				return err == nil | ||||||
| 					return false |  | ||||||
| 				} |  | ||||||
| 				return true |  | ||||||
| 			}, timeout, interval).Should(BeTrue()) | 			}, timeout, interval).Should(BeTrue()) | ||||||
| 			Expect(secret.Type).Should(Equal(v1.SecretType(customType))) | 			Expect(secret.Type).Should(Equal(v1.SecretType(customType))) | ||||||
| 		}) | 		}) | ||||||
| @@ -344,10 +327,7 @@ var _ = Describe("OnePasswordItem controller", func() { | |||||||
| 			createdSecret := &v1.Secret{} | 			createdSecret := &v1.Secret{} | ||||||
| 			Eventually(func() bool { | 			Eventually(func() bool { | ||||||
| 				err := k8sClient.Get(ctx, key, createdSecret) | 				err := k8sClient.Get(ctx, key, createdSecret) | ||||||
| 				if err != nil { | 				return err == nil | ||||||
| 					return false |  | ||||||
| 				} |  | ||||||
| 				return true |  | ||||||
| 			}, timeout, interval).Should(BeTrue()) | 			}, timeout, interval).Should(BeTrue()) | ||||||
|  |  | ||||||
| 			Expect(createdSecret.Data).Should(HaveKeyWithValue("server.crt", fileContent)) | 			Expect(createdSecret.Data).Should(HaveKeyWithValue("server.crt", fileContent)) | ||||||
| @@ -381,20 +361,14 @@ var _ = Describe("OnePasswordItem controller", func() { | |||||||
| 			secret := &v1.Secret{} | 			secret := &v1.Secret{} | ||||||
| 			Eventually(func() bool { | 			Eventually(func() bool { | ||||||
| 				err := k8sClient.Get(ctx, key, secret) | 				err := k8sClient.Get(ctx, key, secret) | ||||||
| 				if err != nil { | 				return err == nil | ||||||
| 					return false |  | ||||||
| 				} |  | ||||||
| 				return true |  | ||||||
| 			}, timeout, interval).Should(BeTrue()) | 			}, timeout, interval).Should(BeTrue()) | ||||||
|  |  | ||||||
| 			By("Failing to update K8s secret") | 			By("Failing to update K8s secret") | ||||||
| 			Eventually(func() bool { | 			Eventually(func() bool { | ||||||
| 				secret.Type = v1.SecretTypeBasicAuth | 				secret.Type = v1.SecretTypeBasicAuth | ||||||
| 				err := k8sClient.Update(ctx, secret) | 				err := k8sClient.Update(ctx, secret) | ||||||
| 				if err != nil { | 				return err == nil | ||||||
| 					return false |  | ||||||
| 				} |  | ||||||
| 				return true |  | ||||||
| 			}, timeout, interval).Should(BeFalse()) | 			}, timeout, interval).Should(BeFalse()) | ||||||
| 		}) | 		}) | ||||||
|  |  | ||||||
|   | |||||||
| @@ -26,6 +26,7 @@ package controller | |||||||
|  |  | ||||||
| import ( | import ( | ||||||
| 	"context" | 	"context" | ||||||
|  | 	"os" | ||||||
| 	"path/filepath" | 	"path/filepath" | ||||||
| 	"regexp" | 	"regexp" | ||||||
| 	"testing" | 	"testing" | ||||||
| @@ -46,7 +47,7 @@ import ( | |||||||
| 	onepasswordcomv1 "github.com/1Password/onepassword-operator/api/v1" | 	onepasswordcomv1 "github.com/1Password/onepassword-operator/api/v1" | ||||||
| 	"github.com/1Password/onepassword-operator/pkg/mocks" | 	"github.com/1Password/onepassword-operator/pkg/mocks" | ||||||
| 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" | 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" | ||||||
| 	//+kubebuilder:scaffold:imports | 	// +kubebuilder:scaffold:imports | ||||||
| ) | ) | ||||||
|  |  | ||||||
| // These tests use Ginkgo (BDD-style Go testing framework). Refer to | // These tests use Ginkgo (BDD-style Go testing framework). Refer to | ||||||
| @@ -155,6 +156,11 @@ var _ = BeforeSuite(func() { | |||||||
| 		ErrorIfCRDPathMissing: true, | 		ErrorIfCRDPathMissing: true, | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
|  | 	// Retrieve the first found binary directory to allow running tests from IDEs | ||||||
|  | 	if getFirstFoundEnvTestBinaryDir() != "" { | ||||||
|  | 		testEnv.BinaryAssetsDirectory = getFirstFoundEnvTestBinaryDir() | ||||||
|  | 	} | ||||||
|  |  | ||||||
| 	var err error | 	var err error | ||||||
| 	// cfg is defined in this file globally. | 	// cfg is defined in this file globally. | ||||||
| 	cfg, err = testEnv.Start() | 	cfg, err = testEnv.Start() | ||||||
| @@ -164,7 +170,7 @@ var _ = BeforeSuite(func() { | |||||||
| 	err = onepasswordcomv1.AddToScheme(scheme.Scheme) | 	err = onepasswordcomv1.AddToScheme(scheme.Scheme) | ||||||
| 	Expect(err).NotTo(HaveOccurred()) | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
| 	//+kubebuilder:scaffold:scheme | 	// +kubebuilder:scaffold:scheme | ||||||
|  |  | ||||||
| 	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) | 	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) | ||||||
| 	Expect(err).NotTo(HaveOccurred()) | 	Expect(err).NotTo(HaveOccurred()) | ||||||
| @@ -210,3 +216,26 @@ var _ = AfterSuite(func() { | |||||||
| 	err := testEnv.Stop() | 	err := testEnv.Stop() | ||||||
| 	Expect(err).NotTo(HaveOccurred()) | 	Expect(err).NotTo(HaveOccurred()) | ||||||
| }) | }) | ||||||
|  |  | ||||||
|  | // getFirstFoundEnvTestBinaryDir locates the first binary in the specified path. | ||||||
|  | // ENVTEST-based tests depend on specific binaries, usually located in paths set by | ||||||
|  | // controller-runtime. When running tests directly (e.g., via an IDE) without using | ||||||
|  | // Makefile targets, the 'BinaryAssetsDirectory' must be explicitly configured. | ||||||
|  | // | ||||||
|  | // This function streamlines the process by finding the required binaries, similar to | ||||||
|  | // setting the 'KUBEBUILDER_ASSETS' environment variable. To ensure the binaries are | ||||||
|  | // properly set up, run 'make setup-envtest' beforehand. | ||||||
|  | func getFirstFoundEnvTestBinaryDir() string { | ||||||
|  | 	basePath := filepath.Join("..", "..", "bin", "k8s") | ||||||
|  | 	entries, err := os.ReadDir(basePath) | ||||||
|  | 	if err != nil { | ||||||
|  | 		logf.Log.Error(err, "Failed to read directory", "path", basePath) | ||||||
|  | 		return "" | ||||||
|  | 	} | ||||||
|  | 	for _, entry := range entries { | ||||||
|  | 		if entry.IsDir() { | ||||||
|  | 			return filepath.Join(basePath, entry.Name()) | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 	return "" | ||||||
|  | } | ||||||
|   | |||||||
| @@ -2,7 +2,7 @@ package kubernetessecrets | |||||||
|  |  | ||||||
| import ( | import ( | ||||||
| 	"context" | 	"context" | ||||||
| 	errs "errors" | 	"errors" | ||||||
| 	"fmt" | 	"fmt" | ||||||
| 	"reflect" | 	"reflect" | ||||||
| 	"regexp" | 	"regexp" | ||||||
| @@ -11,7 +11,7 @@ import ( | |||||||
| 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" | 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" | ||||||
| 	"github.com/1Password/onepassword-operator/pkg/utils" | 	"github.com/1Password/onepassword-operator/pkg/utils" | ||||||
| 	corev1 "k8s.io/api/core/v1" | 	corev1 "k8s.io/api/core/v1" | ||||||
| 	"k8s.io/apimachinery/pkg/api/errors" | 	apierrors "k8s.io/apimachinery/pkg/api/errors" | ||||||
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||||||
| 	"k8s.io/apimachinery/pkg/types" | 	"k8s.io/apimachinery/pkg/types" | ||||||
| 	kubeValidate "k8s.io/apimachinery/pkg/util/validation" | 	kubeValidate "k8s.io/apimachinery/pkg/util/validation" | ||||||
| @@ -26,11 +26,20 @@ const VersionAnnotation = OnepasswordPrefix + "/item-version" | |||||||
| const ItemPathAnnotation = OnepasswordPrefix + "/item-path" | const ItemPathAnnotation = OnepasswordPrefix + "/item-path" | ||||||
| const RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart" | const RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart" | ||||||
|  |  | ||||||
| var ErrCannotUpdateSecretType = errs.New("Cannot change secret type. Secret type is immutable") | var ErrCannotUpdateSecretType = errors.New("cannot change secret type: secret type is immutable") | ||||||
|  |  | ||||||
| var log = logf.Log | var log = logf.Log | ||||||
|  |  | ||||||
| func CreateKubernetesSecretFromItem(ctx context.Context, kubeClient kubernetesClient.Client, secretName, namespace string, item *model.Item, autoRestart string, labels map[string]string, secretType string, ownerRef *metav1.OwnerReference) error { | func CreateKubernetesSecretFromItem( | ||||||
|  | 	ctx context.Context, | ||||||
|  | 	kubeClient kubernetesClient.Client, | ||||||
|  | 	secretName, namespace string, | ||||||
|  | 	item *model.Item, | ||||||
|  | 	autoRestart string, | ||||||
|  | 	labels map[string]string, | ||||||
|  | 	secretType string, | ||||||
|  | 	ownerRef *metav1.OwnerReference, | ||||||
|  | ) error { | ||||||
| 	itemVersion := fmt.Sprint(item.Version) | 	itemVersion := fmt.Sprint(item.Version) | ||||||
| 	secretAnnotations := map[string]string{ | 	secretAnnotations := map[string]string{ | ||||||
| 		VersionAnnotation:  itemVersion, | 		VersionAnnotation:  itemVersion, | ||||||
| @@ -40,17 +49,20 @@ func CreateKubernetesSecretFromItem(ctx context.Context, kubeClient kubernetesCl | |||||||
| 	if autoRestart != "" { | 	if autoRestart != "" { | ||||||
| 		_, err := utils.StringToBool(autoRestart) | 		_, err := utils.StringToBool(autoRestart) | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 			return fmt.Errorf("Error parsing %v annotation on Secret %v. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, secretName) | 			return fmt.Errorf("error parsing %v annotation on Secret %v. Must be true or false. Defaulting to false", | ||||||
|  | 				RestartDeploymentsAnnotation, secretName, | ||||||
|  | 			) | ||||||
| 		} | 		} | ||||||
| 		secretAnnotations[RestartDeploymentsAnnotation] = autoRestart | 		secretAnnotations[RestartDeploymentsAnnotation] = autoRestart | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	// "Opaque" and "" secret types are treated the same by Kubernetes. | 	// "Opaque" and "" secret types are treated the same by Kubernetes. | ||||||
| 	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, secretAnnotations, labels, secretType, *item, ownerRef) | 	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, secretAnnotations, labels, | ||||||
|  | 		secretType, *item, ownerRef) | ||||||
|  |  | ||||||
| 	currentSecret := &corev1.Secret{} | 	currentSecret := &corev1.Secret{} | ||||||
| 	err := kubeClient.Get(ctx, types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, currentSecret) | 	err := kubeClient.Get(ctx, types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, currentSecret) | ||||||
| 	if err != nil && errors.IsNotFound(err) { | 	if err != nil && apierrors.IsNotFound(err) { | ||||||
| 		log.Info(fmt.Sprintf("Creating Secret %v at namespace '%v'", secret.Name, secret.Namespace)) | 		log.Info(fmt.Sprintf("Creating Secret %v at namespace '%v'", secret.Name, secret.Namespace)) | ||||||
| 		return kubeClient.Create(ctx, secret) | 		return kubeClient.Create(ctx, secret) | ||||||
| 	} else if err != nil { | 	} else if err != nil { | ||||||
| @@ -75,20 +87,29 @@ func CreateKubernetesSecretFromItem(ctx context.Context, kubeClient kubernetesCl | |||||||
| 	currentLabels := currentSecret.Labels | 	currentLabels := currentSecret.Labels | ||||||
| 	if !reflect.DeepEqual(currentAnnotations, secretAnnotations) || !reflect.DeepEqual(currentLabels, labels) { | 	if !reflect.DeepEqual(currentAnnotations, secretAnnotations) || !reflect.DeepEqual(currentLabels, labels) { | ||||||
| 		log.Info(fmt.Sprintf("Updating Secret %v at namespace '%v'", secret.Name, secret.Namespace)) | 		log.Info(fmt.Sprintf("Updating Secret %v at namespace '%v'", secret.Name, secret.Namespace)) | ||||||
| 		currentSecret.ObjectMeta.Annotations = secretAnnotations | 		currentSecret.Annotations = secretAnnotations | ||||||
| 		currentSecret.ObjectMeta.Labels = labels | 		currentSecret.Labels = labels | ||||||
| 		currentSecret.Data = secret.Data | 		currentSecret.Data = secret.Data | ||||||
| 		if err := kubeClient.Update(ctx, currentSecret); err != nil { | 		if err := kubeClient.Update(ctx, currentSecret); err != nil { | ||||||
| 			return fmt.Errorf("Kubernetes secret update failed: %w", err) | 			return fmt.Errorf("kubernetes secret update failed: %w", err) | ||||||
| 		} | 		} | ||||||
| 		return nil | 		return nil | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	log.Info(fmt.Sprintf("Secret with name %v and version %v already exists", secret.Name, secret.Annotations[VersionAnnotation])) | 	log.Info(fmt.Sprintf("Secret with name %v and version %v already exists", | ||||||
|  | 		secret.Name, secret.Annotations[VersionAnnotation], | ||||||
|  | 	)) | ||||||
| 	return nil | 	return nil | ||||||
| } | } | ||||||
|  |  | ||||||
| func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, labels map[string]string, secretType string, item model.Item, ownerRef *metav1.OwnerReference) *corev1.Secret { | func BuildKubernetesSecretFromOnePasswordItem( | ||||||
|  | 	name, namespace string, | ||||||
|  | 	annotations map[string]string, | ||||||
|  | 	labels map[string]string, | ||||||
|  | 	secretType string, | ||||||
|  | 	item model.Item, | ||||||
|  | 	ownerRef *metav1.OwnerReference, | ||||||
|  | ) *corev1.Secret { | ||||||
| 	var ownerRefs []metav1.OwnerReference | 	var ownerRefs []metav1.OwnerReference | ||||||
| 	if ownerRef != nil { | 	if ownerRef != nil { | ||||||
| 		ownerRefs = []metav1.OwnerReference{*ownerRef} | 		ownerRefs = []metav1.OwnerReference{*ownerRef} | ||||||
|   | |||||||
| @@ -3,7 +3,6 @@ package kubernetessecrets | |||||||
| import ( | import ( | ||||||
| 	"context" | 	"context" | ||||||
| 	"fmt" | 	"fmt" | ||||||
| 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" |  | ||||||
| 	"strings" | 	"strings" | ||||||
| 	"testing" | 	"testing" | ||||||
|  |  | ||||||
| @@ -12,26 +11,34 @@ import ( | |||||||
| 	"k8s.io/apimachinery/pkg/types" | 	"k8s.io/apimachinery/pkg/types" | ||||||
| 	kubeValidate "k8s.io/apimachinery/pkg/util/validation" | 	kubeValidate "k8s.io/apimachinery/pkg/util/validation" | ||||||
| 	"sigs.k8s.io/controller-runtime/pkg/client/fake" | 	"sigs.k8s.io/controller-runtime/pkg/client/fake" | ||||||
|  |  | ||||||
|  | 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| const restartDeploymentAnnotation = "false" | const ( | ||||||
|  | 	restartDeploymentAnnotation = "false" | ||||||
|  | 	testNamespace               = "test" | ||||||
|  | 	testItemUUID                = "h46bb3jddvay7nxopfhvlwg35q" | ||||||
|  | 	testVaultUUID               = "hfnjvi6aymbsnfc2xeeoheizda" | ||||||
|  | ) | ||||||
|  |  | ||||||
| func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) { | func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) { | ||||||
| 	ctx := context.Background() | 	ctx := context.Background() | ||||||
| 	secretName := "test-secret-name" | 	secretName := "test-secret-name" | ||||||
| 	namespace := "test" | 	namespace := testNamespace | ||||||
|  |  | ||||||
| 	item := model.Item{} | 	item := model.Item{} | ||||||
| 	item.Fields = generateFields(5) | 	item.Fields = generateFields(5) | ||||||
| 	item.Version = 123 | 	item.Version = 123 | ||||||
| 	item.VaultID = "hfnjvi6aymbsnfc2xeeoheizda" | 	item.VaultID = testVaultUUID | ||||||
| 	item.ID = "h46bb3jddvay7nxopfhvlwg35q" | 	item.ID = testItemUUID | ||||||
|  |  | ||||||
| 	kubeClient := fake.NewClientBuilder().Build() | 	kubeClient := fake.NewClientBuilder().Build() | ||||||
| 	secretLabels := map[string]string{} | 	secretLabels := map[string]string{} | ||||||
| 	secretType := "" | 	secretType := "" | ||||||
|  |  | ||||||
| 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, nil) | 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, | ||||||
|  | 		secretLabels, secretType, nil) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		t.Errorf("Unexpected error: %v", err) | 		t.Errorf("Unexpected error: %v", err) | ||||||
| 	} | 	} | ||||||
| @@ -48,13 +55,13 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) { | |||||||
| func TestKubernetesSecretFromOnePasswordItemOwnerReferences(t *testing.T) { | func TestKubernetesSecretFromOnePasswordItemOwnerReferences(t *testing.T) { | ||||||
| 	ctx := context.Background() | 	ctx := context.Background() | ||||||
| 	secretName := "test-secret-name" | 	secretName := "test-secret-name" | ||||||
| 	namespace := "test" | 	namespace := testNamespace | ||||||
|  |  | ||||||
| 	item := model.Item{} | 	item := model.Item{} | ||||||
| 	item.Fields = generateFields(5) | 	item.Fields = generateFields(5) | ||||||
| 	item.Version = 123 | 	item.Version = 123 | ||||||
| 	item.VaultID = "hfnjvi6aymbsnfc2xeeoheizda" | 	item.VaultID = testVaultUUID | ||||||
| 	item.ID = "h46bb3jddvay7nxopfhvlwg35q" | 	item.ID = testItemUUID | ||||||
|  |  | ||||||
| 	kubeClient := fake.NewClientBuilder().Build() | 	kubeClient := fake.NewClientBuilder().Build() | ||||||
| 	secretLabels := map[string]string{} | 	secretLabels := map[string]string{} | ||||||
| @@ -66,15 +73,19 @@ func TestKubernetesSecretFromOnePasswordItemOwnerReferences(t *testing.T) { | |||||||
| 		Name:       "test-deployment", | 		Name:       "test-deployment", | ||||||
| 		UID:        types.UID("test-uid"), | 		UID:        types.UID("test-uid"), | ||||||
| 	} | 	} | ||||||
| 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, ownerRef) | 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, | ||||||
|  | 		secretLabels, secretType, ownerRef) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		t.Errorf("Unexpected error: %v", err) | 		t.Errorf("Unexpected error: %v", err) | ||||||
| 	} | 	} | ||||||
| 	createdSecret := &corev1.Secret{} | 	createdSecret := &corev1.Secret{} | ||||||
| 	err = kubeClient.Get(ctx, types.NamespacedName{Name: secretName, Namespace: namespace}, createdSecret) | 	err = kubeClient.Get(ctx, types.NamespacedName{Name: secretName, Namespace: namespace}, createdSecret) | ||||||
|  | 	if err != nil { | ||||||
|  | 		t.Errorf("Unexpected error: %v", err) | ||||||
|  | 	} | ||||||
|  |  | ||||||
| 	// Check owner references. | 	// Check owner references. | ||||||
| 	gotOwnerRefs := createdSecret.ObjectMeta.OwnerReferences | 	gotOwnerRefs := createdSecret.OwnerReferences | ||||||
| 	if len(gotOwnerRefs) != 1 { | 	if len(gotOwnerRefs) != 1 { | ||||||
| 		t.Errorf("Expected owner references length: 1 but got: %d", len(gotOwnerRefs)) | 		t.Errorf("Expected owner references length: 1 but got: %d", len(gotOwnerRefs)) | ||||||
| 	} | 	} | ||||||
| @@ -94,19 +105,20 @@ func TestKubernetesSecretFromOnePasswordItemOwnerReferences(t *testing.T) { | |||||||
| func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) { | func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) { | ||||||
| 	ctx := context.Background() | 	ctx := context.Background() | ||||||
| 	secretName := "test-secret-update" | 	secretName := "test-secret-update" | ||||||
| 	namespace := "test" | 	namespace := testNamespace | ||||||
|  |  | ||||||
| 	item := model.Item{} | 	item := model.Item{} | ||||||
| 	item.Fields = generateFields(5) | 	item.Fields = generateFields(5) | ||||||
| 	item.Version = 123 | 	item.Version = 123 | ||||||
| 	item.VaultID = "hfnjvi6aymbsnfc2xeeoheizda" | 	item.VaultID = testVaultUUID | ||||||
| 	item.ID = "h46bb3jddvay7nxopfhvlwg35q" | 	item.ID = testItemUUID | ||||||
|  |  | ||||||
| 	kubeClient := fake.NewClientBuilder().Build() | 	kubeClient := fake.NewClientBuilder().Build() | ||||||
| 	secretLabels := map[string]string{} | 	secretLabels := map[string]string{} | ||||||
| 	secretType := "" | 	secretType := "" | ||||||
|  |  | ||||||
| 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, nil) | 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, | ||||||
|  | 		secretLabels, secretType, nil) | ||||||
|  |  | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		t.Errorf("Unexpected error: %v", err) | 		t.Errorf("Unexpected error: %v", err) | ||||||
| @@ -116,9 +128,10 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) { | |||||||
| 	newItem := model.Item{} | 	newItem := model.Item{} | ||||||
| 	newItem.Fields = generateFields(6) | 	newItem.Fields = generateFields(6) | ||||||
| 	newItem.Version = 456 | 	newItem.Version = 456 | ||||||
| 	newItem.VaultID = "hfnjvi6aymbsnfc2xeeoheizda" | 	newItem.VaultID = testVaultUUID | ||||||
| 	newItem.ID = "h46bb3jddvay7nxopfhvlwg35q" | 	newItem.ID = testItemUUID | ||||||
| 	err = CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation, secretLabels, secretType, nil) | 	err = CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation, | ||||||
|  | 		secretLabels, secretType, nil) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		t.Errorf("Unexpected error: %v", err) | 		t.Errorf("Unexpected error: %v", err) | ||||||
| 	} | 	} | ||||||
| @@ -210,19 +223,20 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) { | |||||||
| func TestCreateKubernetesTLSSecretFromOnePasswordItem(t *testing.T) { | func TestCreateKubernetesTLSSecretFromOnePasswordItem(t *testing.T) { | ||||||
| 	ctx := context.Background() | 	ctx := context.Background() | ||||||
| 	secretName := "tls-test-secret-name" | 	secretName := "tls-test-secret-name" | ||||||
| 	namespace := "test" | 	namespace := testNamespace | ||||||
|  |  | ||||||
| 	item := model.Item{} | 	item := model.Item{} | ||||||
| 	item.Fields = generateFields(5) | 	item.Fields = generateFields(5) | ||||||
| 	item.Version = 123 | 	item.Version = 123 | ||||||
| 	item.VaultID = "hfnjvi6aymbsnfc2xeeoheizda" | 	item.VaultID = testVaultUUID | ||||||
| 	item.ID = "h46bb3jddvay7nxopfhvlwg35q" | 	item.ID = testItemUUID | ||||||
|  |  | ||||||
| 	kubeClient := fake.NewClientBuilder().Build() | 	kubeClient := fake.NewClientBuilder().Build() | ||||||
| 	secretLabels := map[string]string{} | 	secretLabels := map[string]string{} | ||||||
| 	secretType := "kubernetes.io/tls" | 	secretType := "kubernetes.io/tls" | ||||||
|  |  | ||||||
| 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, nil) | 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, | ||||||
|  | 		secretLabels, secretType, nil) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		t.Errorf("Unexpected error: %v", err) | 		t.Errorf("Unexpected error: %v", err) | ||||||
| 	} | 	} | ||||||
| @@ -254,7 +268,9 @@ func compareAnnotationsToItem(annotations map[string]string, item model.Item, t | |||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if annotations[RestartDeploymentsAnnotation] != "false" { | 	if annotations[RestartDeploymentsAnnotation] != "false" { | ||||||
| 		t.Errorf("Expected restart deployments annotation to be %v but was %v", restartDeploymentAnnotation, RestartDeploymentsAnnotation) | 		t.Errorf("Expected restart deployments annotation to be %v but was %v", | ||||||
|  | 			restartDeploymentAnnotation, RestartDeploymentsAnnotation, | ||||||
|  | 		) | ||||||
| 	} | 	} | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -286,7 +302,10 @@ func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) { | |||||||
| 	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" { | 	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" { | ||||||
| 		return splitPath[1], splitPath[3], nil | 		return splitPath[1], splitPath[3], nil | ||||||
| 	} | 	} | ||||||
| 	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path) | 	return "", "", fmt.Errorf( | ||||||
|  | 		"%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", | ||||||
|  | 		path, | ||||||
|  | 	) | ||||||
| } | } | ||||||
|  |  | ||||||
| func validLabel(v string) bool { | func validLabel(v string) bool { | ||||||
|   | |||||||
| @@ -1,7 +1,7 @@ | |||||||
| package logs | package logs | ||||||
|  |  | ||||||
| // A Level is a logging priority. Lower levels are more important. | // A Level is a logging priority. Lower levels are more important. | ||||||
| // All levels have been multipled by -1 to ensure compatibilty | // All levels have been multiplied by -1 to ensure compatibility | ||||||
| // between zapcore and logr | // between zapcore and logr | ||||||
| const ( | const ( | ||||||
| 	ErrorLevel = -2 | 	ErrorLevel = -2 | ||||||
|   | |||||||
| @@ -2,6 +2,7 @@ package mocks | |||||||
|  |  | ||||||
| import ( | import ( | ||||||
| 	"context" | 	"context" | ||||||
|  |  | ||||||
| 	"github.com/stretchr/testify/mock" | 	"github.com/stretchr/testify/mock" | ||||||
|  |  | ||||||
| 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" | 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" | ||||||
|   | |||||||
| @@ -45,13 +45,14 @@ func FilterAnnotations(annotations map[string]string, regex *regexp.Regexp) map[ | |||||||
|  |  | ||||||
| func AreAnnotationsUsingSecrets(annotations map[string]string, secrets map[string]*corev1.Secret) bool { | func AreAnnotationsUsingSecrets(annotations map[string]string, secrets map[string]*corev1.Secret) bool { | ||||||
| 	_, ok := secrets[annotations[NameAnnotation]] | 	_, ok := secrets[annotations[NameAnnotation]] | ||||||
| 	if ok { | 	return ok | ||||||
| 		return true |  | ||||||
| 	} |  | ||||||
| 	return false |  | ||||||
| } | } | ||||||
|  |  | ||||||
| func AppendAnnotationUpdatedSecret(annotations map[string]string, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret { | func AppendAnnotationUpdatedSecret( | ||||||
|  | 	annotations map[string]string, | ||||||
|  | 	secrets map[string]*corev1.Secret, | ||||||
|  | 	updatedDeploymentSecrets map[string]*corev1.Secret, | ||||||
|  | ) map[string]*corev1.Secret { | ||||||
| 	secret, ok := secrets[annotations[NameAnnotation]] | 	secret, ok := secrets[annotations[NameAnnotation]] | ||||||
| 	if ok { | 	if ok { | ||||||
| 		updatedDeploymentSecrets[secret.Name] = secret | 		updatedDeploymentSecrets[secret.Name] = secret | ||||||
|   | |||||||
| @@ -80,7 +80,7 @@ func TestGetNoAnnotationsForDeployment(t *testing.T) { | |||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	numAnnotations := len(filteredAnnotations) | 	numAnnotations := len(filteredAnnotations) | ||||||
| 	if 0 != numAnnotations { | 	if numAnnotations != 0 { | ||||||
| 		t.Errorf("Expected %v annotations got %v", 0, numAnnotations) | 		t.Errorf("Expected %v annotations got %v", 0, numAnnotations) | ||||||
| 	} | 	} | ||||||
| } | } | ||||||
|   | |||||||
| @@ -58,7 +58,8 @@ func (c *Connect) GetItemsByTitle(ctx context.Context, vaultID, itemTitle string | |||||||
| } | } | ||||||
|  |  | ||||||
| // GetFileContent retrieves the content of a file from a 1Password item. | // GetFileContent retrieves the content of a file from a 1Password item. | ||||||
| // As the Connect has a delay when synchronizing files and returns a 500 error in this case, this function implements a retry mechanism. | // As the Connect has a delay when synchronizing files and returns a 500 error in this case, | ||||||
|  | // this function implements a retry mechanism. | ||||||
| func (c *Connect) GetFileContent(ctx context.Context, vaultID, itemID, fileID string) ([]byte, error) { | func (c *Connect) GetFileContent(ctx context.Context, vaultID, itemID, fileID string) ([]byte, error) { | ||||||
| 	const maxRetries = 5 | 	const maxRetries = 5 | ||||||
| 	const delay = 1 * time.Second | 	const delay = 1 * time.Second | ||||||
|   | |||||||
| @@ -1,7 +1,6 @@ | |||||||
| package testing | package testing | ||||||
|  |  | ||||||
| import ( | import ( | ||||||
| 	sdk "github.com/1password/onepassword-sdk-go" |  | ||||||
| 	"testing" | 	"testing" | ||||||
| 	"time" | 	"time" | ||||||
|  |  | ||||||
| @@ -9,6 +8,7 @@ import ( | |||||||
|  |  | ||||||
| 	"github.com/1Password/connect-sdk-go/onepassword" | 	"github.com/1Password/connect-sdk-go/onepassword" | ||||||
| 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" | 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" | ||||||
|  | 	sdk "github.com/1password/onepassword-sdk-go" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| func CreateConnectItem() *onepassword.Item { | func CreateConnectItem() *onepassword.Item { | ||||||
|   | |||||||
| @@ -104,7 +104,11 @@ func (c *ConnectClientMock) GetFileContent(file *onepassword.File) ([]byte, erro | |||||||
| 	return args.Get(0).([]byte), args.Error(1) | 	return args.Get(0).([]byte), args.Error(1) | ||||||
| } | } | ||||||
|  |  | ||||||
| func (c *ConnectClientMock) DownloadFile(file *onepassword.File, targetDirectory string, overwrite bool) (string, error) { | func (c *ConnectClientMock) DownloadFile( | ||||||
|  | 	file *onepassword.File, | ||||||
|  | 	targetDirectory string, | ||||||
|  | 	overwrite bool, | ||||||
|  | ) (string, error) { | ||||||
| 	// Only implement this if mocking is needed | 	// Only implement this if mocking is needed | ||||||
| 	panic("implement me") | 	panic("implement me") | ||||||
| } | } | ||||||
|   | |||||||
| @@ -23,7 +23,7 @@ type ItemAPIMock struct { | |||||||
| } | } | ||||||
|  |  | ||||||
| func (i *ItemAPIMock) Create(ctx context.Context, params sdk.ItemCreateParams) (sdk.Item, error) { | func (i *ItemAPIMock) Create(ctx context.Context, params sdk.ItemCreateParams) (sdk.Item, error) { | ||||||
| 	//TODO implement me | 	// TODO implement me | ||||||
| 	panic("implement me") | 	panic("implement me") | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -33,27 +33,31 @@ func (i *ItemAPIMock) Get(ctx context.Context, vaultID string, itemID string) (s | |||||||
| } | } | ||||||
|  |  | ||||||
| func (i *ItemAPIMock) Put(ctx context.Context, item sdk.Item) (sdk.Item, error) { | func (i *ItemAPIMock) Put(ctx context.Context, item sdk.Item) (sdk.Item, error) { | ||||||
| 	//TODO implement me | 	// TODO implement me | ||||||
| 	panic("implement me") | 	panic("implement me") | ||||||
| } | } | ||||||
|  |  | ||||||
| func (i *ItemAPIMock) Delete(ctx context.Context, vaultID string, itemID string) error { | func (i *ItemAPIMock) Delete(ctx context.Context, vaultID string, itemID string) error { | ||||||
| 	//TODO implement me | 	// TODO implement me | ||||||
| 	panic("implement me") | 	panic("implement me") | ||||||
| } | } | ||||||
|  |  | ||||||
| func (i *ItemAPIMock) Archive(ctx context.Context, vaultID string, itemID string) error { | func (i *ItemAPIMock) Archive(ctx context.Context, vaultID string, itemID string) error { | ||||||
| 	//TODO implement me | 	// TODO implement me | ||||||
| 	panic("implement me") | 	panic("implement me") | ||||||
| } | } | ||||||
|  |  | ||||||
| func (i *ItemAPIMock) List(ctx context.Context, vaultID string, filters ...sdk.ItemListFilter) ([]sdk.ItemOverview, error) { | func (i *ItemAPIMock) List( | ||||||
|  | 	ctx context.Context, | ||||||
|  | 	vaultID string, | ||||||
|  | 	filters ...sdk.ItemListFilter, | ||||||
|  | ) ([]sdk.ItemOverview, error) { | ||||||
| 	args := i.Called(ctx, vaultID, filters) | 	args := i.Called(ctx, vaultID, filters) | ||||||
| 	return args.Get(0).([]sdk.ItemOverview), args.Error(1) | 	return args.Get(0).([]sdk.ItemOverview), args.Error(1) | ||||||
| } | } | ||||||
|  |  | ||||||
| func (i *ItemAPIMock) Shares() sdk.ItemsSharesAPI { | func (i *ItemAPIMock) Shares() sdk.ItemsSharesAPI { | ||||||
| 	//TODO implement me | 	// TODO implement me | ||||||
| 	panic("implement me") | 	panic("implement me") | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -66,17 +70,21 @@ type FileAPIMock struct { | |||||||
| } | } | ||||||
|  |  | ||||||
| func (f *FileAPIMock) Attach(ctx context.Context, item sdk.Item, fileParams sdk.FileCreateParams) (sdk.Item, error) { | func (f *FileAPIMock) Attach(ctx context.Context, item sdk.Item, fileParams sdk.FileCreateParams) (sdk.Item, error) { | ||||||
| 	//TODO implement me | 	// TODO implement me | ||||||
| 	panic("implement me") | 	panic("implement me") | ||||||
| } | } | ||||||
|  |  | ||||||
| func (f *FileAPIMock) Delete(ctx context.Context, item sdk.Item, sectionID string, fieldID string) (sdk.Item, error) { | func (f *FileAPIMock) Delete(ctx context.Context, item sdk.Item, sectionID string, fieldID string) (sdk.Item, error) { | ||||||
| 	//TODO implement me | 	// TODO implement me | ||||||
| 	panic("implement me") | 	panic("implement me") | ||||||
| } | } | ||||||
|  |  | ||||||
| func (f *FileAPIMock) ReplaceDocument(ctx context.Context, item sdk.Item, docParams sdk.DocumentCreateParams) (sdk.Item, error) { | func (f *FileAPIMock) ReplaceDocument( | ||||||
| 	//TODO implement me | 	ctx context.Context, | ||||||
|  | 	item sdk.Item, | ||||||
|  | 	docParams sdk.DocumentCreateParams, | ||||||
|  | ) (sdk.Item, error) { | ||||||
|  | 	// TODO implement me | ||||||
| 	panic("implement me") | 	panic("implement me") | ||||||
| } | } | ||||||
|  |  | ||||||
|   | |||||||
| @@ -32,11 +32,19 @@ func SetupConnect(ctx context.Context, kubeClient client.Client, deploymentNames | |||||||
| 	return nil | 	return nil | ||||||
| } | } | ||||||
|  |  | ||||||
| func setupDeployment(ctx context.Context, kubeClient client.Client, deploymentPath string, deploymentNamespace string) error { | func setupDeployment( | ||||||
|  | 	ctx context.Context, | ||||||
|  | 	kubeClient client.Client, | ||||||
|  | 	deploymentPath string, | ||||||
|  | 	deploymentNamespace string, | ||||||
|  | ) error { | ||||||
| 	existingDeployment := &appsv1.Deployment{} | 	existingDeployment := &appsv1.Deployment{} | ||||||
|  |  | ||||||
| 	// check if deployment has already been created | 	// check if deployment has already been created | ||||||
| 	err := kubeClient.Get(ctx, types.NamespacedName{Name: "onepassword-connect", Namespace: deploymentNamespace}, existingDeployment) | 	err := kubeClient.Get(ctx, types.NamespacedName{ | ||||||
|  | 		Name:      "onepassword-connect", | ||||||
|  | 		Namespace: deploymentNamespace, | ||||||
|  | 	}, existingDeployment) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		if errors.IsNotFound(err) { | 		if errors.IsNotFound(err) { | ||||||
| 			logConnectSetup.Info("No existing Connect deployment found. Creating Deployment") | 			logConnectSetup.Info("No existing Connect deployment found. Creating Deployment") | ||||||
| @@ -46,7 +54,12 @@ func setupDeployment(ctx context.Context, kubeClient client.Client, deploymentPa | |||||||
| 	return err | 	return err | ||||||
| } | } | ||||||
|  |  | ||||||
| func createDeployment(ctx context.Context, kubeClient client.Client, deploymentPath string, deploymentNamespace string) error { | func createDeployment( | ||||||
|  | 	ctx context.Context, | ||||||
|  | 	kubeClient client.Client, | ||||||
|  | 	deploymentPath string, | ||||||
|  | 	deploymentNamespace string, | ||||||
|  | ) error { | ||||||
| 	deployment, err := getDeploymentToCreate(deploymentPath, deploymentNamespace) | 	deployment, err := getDeploymentToCreate(deploymentPath, deploymentNamespace) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return err | 		return err | ||||||
| @@ -81,8 +94,11 @@ func getDeploymentToCreate(deploymentPath string, deploymentNamespace string) (* | |||||||
| func setupService(ctx context.Context, kubeClient client.Client, servicePath string, deploymentNamespace string) error { | func setupService(ctx context.Context, kubeClient client.Client, servicePath string, deploymentNamespace string) error { | ||||||
| 	existingService := &corev1.Service{} | 	existingService := &corev1.Service{} | ||||||
|  |  | ||||||
| 	//check if service has already been created | 	// check if service has already been created | ||||||
| 	err := kubeClient.Get(ctx, types.NamespacedName{Name: "onepassword-connect", Namespace: deploymentNamespace}, existingService) | 	err := kubeClient.Get(ctx, types.NamespacedName{ | ||||||
|  | 		Name:      "onepassword-connect", | ||||||
|  | 		Namespace: deploymentNamespace, | ||||||
|  | 	}, existingService) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		if errors.IsNotFound(err) { | 		if errors.IsNotFound(err) { | ||||||
| 			logConnectSetup.Info("No existing Connect service found. Creating Service") | 			logConnectSetup.Info("No existing Connect service found. Creating Service") | ||||||
| @@ -92,7 +108,12 @@ func setupService(ctx context.Context, kubeClient client.Client, servicePath str | |||||||
| 	return err | 	return err | ||||||
| } | } | ||||||
|  |  | ||||||
| func createService(ctx context.Context, kubeClient client.Client, servicePath string, deploymentNamespace string) error { | func createService( | ||||||
|  | 	ctx context.Context, | ||||||
|  | 	kubeClient client.Client, | ||||||
|  | 	servicePath string, | ||||||
|  | 	deploymentNamespace string, | ||||||
|  | ) error { | ||||||
| 	f, err := os.Open(servicePath) | 	f, err := os.Open(servicePath) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return err | 		return err | ||||||
|   | |||||||
| @@ -28,7 +28,11 @@ func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string | |||||||
| 	return false | 	return false | ||||||
| } | } | ||||||
|  |  | ||||||
| func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret { | func AppendUpdatedContainerSecrets( | ||||||
|  | 	containers []corev1.Container, | ||||||
|  | 	secrets map[string]*corev1.Secret, | ||||||
|  | 	updatedDeploymentSecrets map[string]*corev1.Secret, | ||||||
|  | ) map[string]*corev1.Secret { | ||||||
| 	for i := 0; i < len(containers); i++ { | 	for i := 0; i < len(containers); i++ { | ||||||
| 		envVariables := containers[i].Env | 		envVariables := containers[i].Env | ||||||
| 		for j := 0; j < len(envVariables); j++ { | 		for j := 0; j < len(envVariables); j++ { | ||||||
| @@ -42,7 +46,7 @@ func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[st | |||||||
| 		envFromVariables := containers[i].EnvFrom | 		envFromVariables := containers[i].EnvFrom | ||||||
| 		for j := 0; j < len(envFromVariables); j++ { | 		for j := 0; j < len(envFromVariables); j++ { | ||||||
| 			if envFromVariables[j].SecretRef != nil { | 			if envFromVariables[j].SecretRef != nil { | ||||||
| 				secret, ok := secrets[envFromVariables[j].SecretRef.LocalObjectReference.Name] | 				secret, ok := secrets[envFromVariables[j].SecretRef.Name] | ||||||
| 				if ok { | 				if ok { | ||||||
| 					updatedDeploymentSecrets[secret.Name] = secret | 					updatedDeploymentSecrets[secret.Name] = secret | ||||||
| 				} | 				} | ||||||
|   | |||||||
| @@ -9,10 +9,15 @@ func IsDeploymentUsingSecrets(deployment *appsv1.Deployment, secrets map[string] | |||||||
| 	volumes := deployment.Spec.Template.Spec.Volumes | 	volumes := deployment.Spec.Template.Spec.Volumes | ||||||
| 	containers := deployment.Spec.Template.Spec.Containers | 	containers := deployment.Spec.Template.Spec.Containers | ||||||
| 	containers = append(containers, deployment.Spec.Template.Spec.InitContainers...) | 	containers = append(containers, deployment.Spec.Template.Spec.InitContainers...) | ||||||
| 	return AreAnnotationsUsingSecrets(deployment.Annotations, secrets) || AreContainersUsingSecrets(containers, secrets) || AreVolumesUsingSecrets(volumes, secrets) | 	return AreAnnotationsUsingSecrets(deployment.Annotations, secrets) || | ||||||
|  | 		AreContainersUsingSecrets(containers, secrets) || | ||||||
|  | 		AreVolumesUsingSecrets(volumes, secrets) | ||||||
| } | } | ||||||
|  |  | ||||||
| func GetUpdatedSecretsForDeployment(deployment *appsv1.Deployment, secrets map[string]*corev1.Secret) map[string]*corev1.Secret { | func GetUpdatedSecretsForDeployment( | ||||||
|  | 	deployment *appsv1.Deployment, | ||||||
|  | 	secrets map[string]*corev1.Secret, | ||||||
|  | ) map[string]*corev1.Secret { | ||||||
| 	volumes := deployment.Spec.Template.Spec.Volumes | 	volumes := deployment.Spec.Template.Spec.Volumes | ||||||
| 	containers := deployment.Spec.Template.Spec.Containers | 	containers := deployment.Spec.Template.Spec.Containers | ||||||
| 	containers = append(containers, deployment.Spec.Template.Spec.InitContainers...) | 	containers = append(containers, deployment.Spec.Template.Spec.InitContainers...) | ||||||
|   | |||||||
| @@ -49,7 +49,10 @@ func ParseVaultAndItemFromPath(path string) (string, string, error) { | |||||||
| 	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" { | 	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" { | ||||||
| 		return splitPath[1], splitPath[3], nil | 		return splitPath[1], splitPath[3], nil | ||||||
| 	} | 	} | ||||||
| 	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path) | 	return "", "", fmt.Errorf( | ||||||
|  | 		"%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", | ||||||
|  | 		path, | ||||||
|  | 	) | ||||||
| } | } | ||||||
|  |  | ||||||
| func getVaultID(ctx context.Context, client opclient.Client, vaultNameOrID string) (string, error) { | func getVaultID(ctx context.Context, client opclient.Client, vaultNameOrID string) (string, error) { | ||||||
| @@ -60,7 +63,7 @@ func getVaultID(ctx context.Context, client opclient.Client, vaultNameOrID strin | |||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		if len(vaults) == 0 { | 		if len(vaults) == 0 { | ||||||
| 			return "", fmt.Errorf("No vaults found with identifier %q", vaultNameOrID) | 			return "", fmt.Errorf("no vaults found with identifier %q", vaultNameOrID) | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		oldestVault := vaults[0] | 		oldestVault := vaults[0] | ||||||
| @@ -70,7 +73,9 @@ func getVaultID(ctx context.Context, client opclient.Client, vaultNameOrID strin | |||||||
| 					oldestVault = returnedVault | 					oldestVault = returnedVault | ||||||
| 				} | 				} | ||||||
| 			} | 			} | ||||||
| 			logger.Info(fmt.Sprintf("%v 1Password vaults found with the title %q. Will use vault %q as it is the oldest.", len(vaults), vaultNameOrID, oldestVault.ID)) | 			logger.Info(fmt.Sprintf("%v 1Password vaults found with the title %q. Will use vault %q as it is the oldest.", | ||||||
|  | 				len(vaults), vaultNameOrID, oldestVault.ID, | ||||||
|  | 			)) | ||||||
| 		} | 		} | ||||||
| 		vaultNameOrID = oldestVault.ID | 		vaultNameOrID = oldestVault.ID | ||||||
| 	} | 	} | ||||||
| @@ -85,7 +90,7 @@ func getItemID(ctx context.Context, client opclient.Client, vaultId, itemNameOrI | |||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		if len(items) == 0 { | 		if len(items) == 0 { | ||||||
| 			return "", fmt.Errorf("No items found with identifier %q", itemNameOrID) | 			return "", fmt.Errorf("no items found with identifier %q", itemNameOrID) | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		oldestItem := items[0] | 		oldestItem := items[0] | ||||||
| @@ -95,7 +100,9 @@ func getItemID(ctx context.Context, client opclient.Client, vaultId, itemNameOrI | |||||||
| 					oldestItem = returnedItem | 					oldestItem = returnedItem | ||||||
| 				} | 				} | ||||||
| 			} | 			} | ||||||
| 			logger.Info(fmt.Sprintf("%v 1Password items found with the title %q. Will use item %q as it is the oldest.", len(items), itemNameOrID, oldestItem.ID)) | 			logger.Info(fmt.Sprintf("%v 1Password items found with the title %q. Will use item %q as it is the oldest.", | ||||||
|  | 				len(items), itemNameOrID, oldestItem.ID, | ||||||
|  | 			)) | ||||||
| 		} | 		} | ||||||
| 		itemNameOrID = oldestItem.ID | 		itemNameOrID = oldestItem.ID | ||||||
| 	} | 	} | ||||||
|   | |||||||
| @@ -24,9 +24,7 @@ func (i *Item) FromConnectItem(item *connect.Item) { | |||||||
| 	i.VaultID = item.Vault.ID | 	i.VaultID = item.Vault.ID | ||||||
| 	i.Version = item.Version | 	i.Version = item.Version | ||||||
|  |  | ||||||
| 	for _, tag := range item.Tags { | 	i.Tags = append(i.Tags, item.Tags...) | ||||||
| 		i.Tags = append(i.Tags, tag) |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	for _, field := range item.Fields { | 	for _, field := range item.Fields { | ||||||
| 		i.Fields = append(i.Fields, ItemField{ | 		i.Fields = append(i.Fields, ItemField{ | ||||||
|   | |||||||
| @@ -18,12 +18,16 @@ import ( | |||||||
| 	logf "sigs.k8s.io/controller-runtime/pkg/log" | 	logf "sigs.k8s.io/controller-runtime/pkg/log" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| const envHostVariable = "OP_HOST" | // const envHostVariable = "OP_HOST" | ||||||
| const lockTag = "operator.1password.io:ignore-secret" | const lockTag = "operator.1password.io:ignore-secret" | ||||||
|  |  | ||||||
| var log = logf.Log.WithName("update_op_kubernetes_secrets_task") | var log = logf.Log.WithName("update_op_kubernetes_secrets_task") | ||||||
|  |  | ||||||
| func NewManager(kubernetesClient client.Client, opClient opclient.Client, shouldAutoRestartDeploymentsGlobal bool) *SecretUpdateHandler { | func NewManager( | ||||||
|  | 	kubernetesClient client.Client, | ||||||
|  | 	opClient opclient.Client, | ||||||
|  | 	shouldAutoRestartDeploymentsGlobal bool, | ||||||
|  | ) *SecretUpdateHandler { | ||||||
| 	return &SecretUpdateHandler{ | 	return &SecretUpdateHandler{ | ||||||
| 		client:                             kubernetesClient, | 		client:                             kubernetesClient, | ||||||
| 		opClient:                           opClient, | 		opClient:                           opClient, | ||||||
| @@ -46,7 +50,10 @@ func (h *SecretUpdateHandler) UpdateKubernetesSecretsTask(ctx context.Context) e | |||||||
| 	return h.restartDeploymentsWithUpdatedSecrets(ctx, updatedKubernetesSecrets) | 	return h.restartDeploymentsWithUpdatedSecrets(ctx, updatedKubernetesSecrets) | ||||||
| } | } | ||||||
|  |  | ||||||
| func (h *SecretUpdateHandler) restartDeploymentsWithUpdatedSecrets(ctx context.Context, updatedSecretsByNamespace map[string]map[string]*corev1.Secret) error { | func (h *SecretUpdateHandler) restartDeploymentsWithUpdatedSecrets( | ||||||
|  | 	ctx context.Context, | ||||||
|  | 	updatedSecretsByNamespace map[string]map[string]*corev1.Secret, | ||||||
|  | ) error { | ||||||
| 	// No secrets to update. Exit | 	// No secrets to update. Exit | ||||||
| 	if len(updatedSecretsByNamespace) == 0 || updatedSecretsByNamespace == nil { | 	if len(updatedSecretsByNamespace) == 0 || updatedSecretsByNamespace == nil { | ||||||
| 		return nil | 		return nil | ||||||
| @@ -83,14 +90,18 @@ func (h *SecretUpdateHandler) restartDeploymentsWithUpdatedSecrets(ctx context.C | |||||||
| 			} | 			} | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		log.V(logs.DebugLevel).Info(fmt.Sprintf("Deployment %q at namespace %q is up to date", deployment.GetName(), deployment.Namespace)) | 		log.V(logs.DebugLevel).Info(fmt.Sprintf("Deployment %q at namespace %q is up to date", | ||||||
|  | 			deployment.GetName(), deployment.Namespace, | ||||||
|  | 		)) | ||||||
|  |  | ||||||
| 	} | 	} | ||||||
| 	return nil | 	return nil | ||||||
| } | } | ||||||
|  |  | ||||||
| func (h *SecretUpdateHandler) restartDeployment(ctx context.Context, deployment *appsv1.Deployment) { | func (h *SecretUpdateHandler) restartDeployment(ctx context.Context, deployment *appsv1.Deployment) { | ||||||
| 	log.Info(fmt.Sprintf("Deployment %q at namespace %q references an updated secret. Restarting", deployment.GetName(), deployment.Namespace)) | 	log.Info(fmt.Sprintf("Deployment %q at namespace %q references an updated secret. Restarting", | ||||||
|  | 		deployment.GetName(), deployment.Namespace, | ||||||
|  | 	)) | ||||||
| 	if deployment.Spec.Template.Annotations == nil { | 	if deployment.Spec.Template.Annotations == nil { | ||||||
| 		deployment.Spec.Template.Annotations = map[string]string{} | 		deployment.Spec.Template.Annotations = map[string]string{} | ||||||
| 	} | 	} | ||||||
| @@ -101,7 +112,9 @@ func (h *SecretUpdateHandler) restartDeployment(ctx context.Context, deployment | |||||||
| 	} | 	} | ||||||
| } | } | ||||||
|  |  | ||||||
| func (h *SecretUpdateHandler) updateKubernetesSecrets(ctx context.Context) (map[string]map[string]*corev1.Secret, error) { | func (h *SecretUpdateHandler) updateKubernetesSecrets(ctx context.Context) ( | ||||||
|  | 	map[string]map[string]*corev1.Secret, error, | ||||||
|  | ) { | ||||||
| 	secrets := &corev1.SecretList{} | 	secrets := &corev1.SecretList{} | ||||||
| 	err := h.client.List(ctx, secrets) | 	err := h.client.List(ctx, secrets) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| @@ -123,7 +136,9 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets(ctx context.Context) (map[ | |||||||
|  |  | ||||||
| 		item, err := GetOnePasswordItemByPath(ctx, h.opClient, OnePasswordItemPath) | 		item, err := GetOnePasswordItemByPath(ctx, h.opClient, OnePasswordItemPath) | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 			log.Error(err, fmt.Sprintf("failed to retrieve 1Password item at path %s for secret %s", secret.Annotations[ItemPathAnnotation], secret.Name)) | 			log.Error(err, fmt.Sprintf("failed to retrieve 1Password item at path %s for secret %s", | ||||||
|  | 				secret.Annotations[ItemPathAnnotation], secret.Name, | ||||||
|  | 			)) | ||||||
| 			continue | 			continue | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| @@ -132,7 +147,11 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets(ctx context.Context) (map[ | |||||||
|  |  | ||||||
| 		if currentVersion != itemVersion || secret.Annotations[ItemPathAnnotation] != itemPathString { | 		if currentVersion != itemVersion || secret.Annotations[ItemPathAnnotation] != itemPathString { | ||||||
| 			if isItemLockedForForcedRestarts(item) { | 			if isItemLockedForForcedRestarts(item) { | ||||||
| 				log.V(logs.DebugLevel).Info(fmt.Sprintf("Secret '%v' has been updated in 1Password but is set to be ignored. Updates to an ignored secret will not trigger an update to a kubernetes secret or a rolling restart.", secret.GetName())) | 				log.V(logs.DebugLevel).Info(fmt.Sprintf( | ||||||
|  | 					"Secret '%v' has been updated in 1Password but is set to be ignored. "+ | ||||||
|  | 						"Updates to an ignored secret will not trigger an update to a kubernetes secret or a rolling restart.", | ||||||
|  | 					secret.GetName(), | ||||||
|  | 				)) | ||||||
| 				secret.Annotations[VersionAnnotation] = itemVersion | 				secret.Annotations[VersionAnnotation] = itemVersion | ||||||
| 				secret.Annotations[ItemPathAnnotation] = itemPathString | 				secret.Annotations[ItemPathAnnotation] = itemPathString | ||||||
| 				if err := h.client.Update(ctx, &secret); err != nil { | 				if err := h.client.Update(ctx, &secret); err != nil { | ||||||
| @@ -145,7 +164,9 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets(ctx context.Context) (map[ | |||||||
| 			secret.Annotations[VersionAnnotation] = itemVersion | 			secret.Annotations[VersionAnnotation] = itemVersion | ||||||
| 			secret.Annotations[ItemPathAnnotation] = itemPathString | 			secret.Annotations[ItemPathAnnotation] = itemPathString | ||||||
| 			secret.Data = kubeSecrets.BuildKubernetesSecretData(item.Fields, item.Files) | 			secret.Data = kubeSecrets.BuildKubernetesSecretData(item.Fields, item.Files) | ||||||
| 			log.V(logs.DebugLevel).Info(fmt.Sprintf("New secret path: %v and version: %v", secret.Annotations[ItemPathAnnotation], secret.Annotations[VersionAnnotation])) | 			log.V(logs.DebugLevel).Info(fmt.Sprintf("New secret path: %v and version: %v", | ||||||
|  | 				secret.Annotations[ItemPathAnnotation], secret.Annotations[VersionAnnotation], | ||||||
|  | 			)) | ||||||
| 			if err := h.client.Update(ctx, &secret); err != nil { | 			if err := h.client.Update(ctx, &secret); err != nil { | ||||||
| 				log.Error(err, fmt.Sprintf("failed to update secret %s to version %s", secret.Name, itemVersion)) | 				log.Error(err, fmt.Sprintf("failed to update secret %s to version %s", secret.Name, itemVersion)) | ||||||
| 				continue | 				continue | ||||||
| @@ -171,10 +192,7 @@ func isItemLockedForForcedRestarts(item *model.Item) bool { | |||||||
|  |  | ||||||
| func isUpdatedSecret(secretName string, updatedSecrets map[string]*corev1.Secret) bool { | func isUpdatedSecret(secretName string, updatedSecrets map[string]*corev1.Secret) bool { | ||||||
| 	_, ok := updatedSecrets[secretName] | 	_, ok := updatedSecrets[secretName] | ||||||
| 	if ok { | 	return ok | ||||||
| 		return true |  | ||||||
| 	} |  | ||||||
| 	return false |  | ||||||
| } | } | ||||||
|  |  | ||||||
| func (h *SecretUpdateHandler) getIsSetForAutoRestartByNamespaceMap(ctx context.Context) (map[string]bool, error) { | func (h *SecretUpdateHandler) getIsSetForAutoRestartByNamespaceMap(ctx context.Context) (map[string]bool, error) { | ||||||
| @@ -209,16 +227,22 @@ func (h *SecretUpdateHandler) getPathFromOnePasswordItem(secret corev1.Secret) s | |||||||
| 	return secret.Annotations[ItemPathAnnotation] | 	return secret.Annotations[ItemPathAnnotation] | ||||||
| } | } | ||||||
|  |  | ||||||
| func isSecretSetForAutoRestart(secret *corev1.Secret, deployment *appsv1.Deployment, setForAutoRestartByNamespace map[string]bool) bool { | func isSecretSetForAutoRestart( | ||||||
|  | 	secret *corev1.Secret, | ||||||
|  | 	deployment *appsv1.Deployment, | ||||||
|  | 	setForAutoRestartByNamespace map[string]bool, | ||||||
|  | ) bool { | ||||||
| 	restartDeployment := secret.Annotations[RestartDeploymentsAnnotation] | 	restartDeployment := secret.Annotations[RestartDeploymentsAnnotation] | ||||||
| 	//If annotation for auto restarts for deployment is not set. Check for the annotation on its namepsace | 	// If annotation for auto restarts for deployment is not set. Check for the annotation on its namepsace | ||||||
| 	if restartDeployment == "" { | 	if restartDeployment == "" { | ||||||
| 		return isDeploymentSetForAutoRestart(deployment, setForAutoRestartByNamespace) | 		return isDeploymentSetForAutoRestart(deployment, setForAutoRestartByNamespace) | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	restartDeploymentBool, err := utils.StringToBool(restartDeployment) | 	restartDeploymentBool, err := utils.StringToBool(restartDeployment) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		log.Error(err, fmt.Sprintf("Error parsing %s annotation on Secret %s. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, secret.Name)) | 		log.Error(err, fmt.Sprintf("Error parsing %s annotation on Secret %s. Must be true or false. Defaulting to false.", | ||||||
|  | 			RestartDeploymentsAnnotation, secret.Name, | ||||||
|  | 		)) | ||||||
| 		return false | 		return false | ||||||
| 	} | 	} | ||||||
| 	return restartDeploymentBool | 	return restartDeploymentBool | ||||||
| @@ -226,14 +250,17 @@ func isSecretSetForAutoRestart(secret *corev1.Secret, deployment *appsv1.Deploym | |||||||
|  |  | ||||||
| func isDeploymentSetForAutoRestart(deployment *appsv1.Deployment, setForAutoRestartByNamespace map[string]bool) bool { | func isDeploymentSetForAutoRestart(deployment *appsv1.Deployment, setForAutoRestartByNamespace map[string]bool) bool { | ||||||
| 	restartDeployment := deployment.Annotations[RestartDeploymentsAnnotation] | 	restartDeployment := deployment.Annotations[RestartDeploymentsAnnotation] | ||||||
| 	//If annotation for auto restarts for deployment is not set. Check for the annotation on its namepsace | 	// If annotation for auto restarts for deployment is not set. Check for the annotation on its namepsace | ||||||
| 	if restartDeployment == "" { | 	if restartDeployment == "" { | ||||||
| 		return setForAutoRestartByNamespace[deployment.Namespace] | 		return setForAutoRestartByNamespace[deployment.Namespace] | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	restartDeploymentBool, err := utils.StringToBool(restartDeployment) | 	restartDeploymentBool, err := utils.StringToBool(restartDeployment) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		log.Error(err, fmt.Sprintf("Error parsing %s annotation on Deployment %s. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, deployment.Name)) | 		log.Error(err, fmt.Sprintf( | ||||||
|  | 			"Error parsing %s annotation on Deployment %s. Must be true or false. Defaulting to false.", | ||||||
|  | 			RestartDeploymentsAnnotation, deployment.Name, | ||||||
|  | 		)) | ||||||
| 		return false | 		return false | ||||||
| 	} | 	} | ||||||
| 	return restartDeploymentBool | 	return restartDeploymentBool | ||||||
| @@ -241,14 +268,16 @@ func isDeploymentSetForAutoRestart(deployment *appsv1.Deployment, setForAutoRest | |||||||
|  |  | ||||||
| func (h *SecretUpdateHandler) isNamespaceSetToAutoRestart(namespace *corev1.Namespace) bool { | func (h *SecretUpdateHandler) isNamespaceSetToAutoRestart(namespace *corev1.Namespace) bool { | ||||||
| 	restartDeployment := namespace.Annotations[RestartDeploymentsAnnotation] | 	restartDeployment := namespace.Annotations[RestartDeploymentsAnnotation] | ||||||
| 	//If annotation for auto restarts for deployment is not set. Check environment variable set on the operator | 	// If annotation for auto restarts for deployment is not set. Check environment variable set on the operator | ||||||
| 	if restartDeployment == "" { | 	if restartDeployment == "" { | ||||||
| 		return h.shouldAutoRestartDeploymentsGlobal | 		return h.shouldAutoRestartDeploymentsGlobal | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	restartDeploymentBool, err := utils.StringToBool(restartDeployment) | 	restartDeploymentBool, err := utils.StringToBool(restartDeployment) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		log.Error(err, fmt.Sprintf("Error parsing %s annotation on Namespace %s. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, namespace.Name)) | 		log.Error(err, fmt.Sprintf("Error parsing %s annotation on Namespace %s. Must be true or false. Defaulting to false.", | ||||||
|  | 			RestartDeploymentsAnnotation, namespace.Name, | ||||||
|  | 		)) | ||||||
| 		return false | 		return false | ||||||
| 	} | 	} | ||||||
| 	return restartDeploymentBool | 	return restartDeploymentBool | ||||||
|   | |||||||
| @@ -43,7 +43,6 @@ type testUpdateSecretTask struct { | |||||||
| 	existingSecret           *corev1.Secret | 	existingSecret           *corev1.Secret | ||||||
| 	expectedError            error | 	expectedError            error | ||||||
| 	expectedResultSecret     *corev1.Secret | 	expectedResultSecret     *corev1.Secret | ||||||
| 	expectedEvents           []string |  | ||||||
| 	opItem                   map[string]string | 	opItem                   map[string]string | ||||||
| 	expectedRestart          bool | 	expectedRestart          bool | ||||||
| 	globalAutoRestartEnabled bool | 	globalAutoRestartEnabled bool | ||||||
| @@ -63,6 +62,9 @@ var defaultNamespace = &corev1.Namespace{ | |||||||
| 	}, | 	}, | ||||||
| } | } | ||||||
|  |  | ||||||
|  | // TODO: Refactor test cases to avoid duplication. | ||||||
|  | // | ||||||
|  | //nolint:dupl | ||||||
| var tests = []testUpdateSecretTask{ | var tests = []testUpdateSecretTask{ | ||||||
| 	{ | 	{ | ||||||
| 		testName:          "Test unrelated deployment is not restarted with an updated secret", | 		testName:          "Test unrelated deployment is not restarted with an updated secret", | ||||||
| @@ -838,9 +840,10 @@ func TestUpdateSecretHandler(t *testing.T) { | |||||||
| 				assert.Equal(t, testData.expectedResultSecret.Annotations[VersionAnnotation], secret.Annotations[VersionAnnotation]) | 				assert.Equal(t, testData.expectedResultSecret.Annotations[VersionAnnotation], secret.Annotations[VersionAnnotation]) | ||||||
| 			} | 			} | ||||||
|  |  | ||||||
| 			//check if deployment has been restarted | 			// check if deployment has been restarted | ||||||
| 			deployment := &appsv1.Deployment{} | 			deployment := &appsv1.Deployment{} | ||||||
| 			err = cl.Get(ctx, types.NamespacedName{Name: testData.existingDeployment.Name, Namespace: namespace}, deployment) | 			err = cl.Get(ctx, types.NamespacedName{Name: testData.existingDeployment.Name, Namespace: namespace}, deployment) | ||||||
|  | 			assert.NoError(t, err) | ||||||
|  |  | ||||||
| 			_, ok := deployment.Spec.Template.Annotations[RestartAnnotation] | 			_, ok := deployment.Spec.Template.Annotations[RestartAnnotation] | ||||||
| 			if ok { | 			if ok { | ||||||
| @@ -849,7 +852,7 @@ func TestUpdateSecretHandler(t *testing.T) { | |||||||
| 				assert.False(t, testData.expectedRestart, "Deployment was restarted but should not have been.") | 				assert.False(t, testData.expectedRestart, "Deployment was restarted but should not have been.") | ||||||
| 			} | 			} | ||||||
|  |  | ||||||
| 			oldPodTemplateAnnotations := testData.existingDeployment.Spec.Template.ObjectMeta.Annotations | 			oldPodTemplateAnnotations := testData.existingDeployment.Spec.Template.Annotations | ||||||
| 			newPodTemplateAnnotations := deployment.Spec.Template.Annotations | 			newPodTemplateAnnotations := deployment.Spec.Template.Annotations | ||||||
| 			for name, expected := range oldPodTemplateAnnotations { | 			for name, expected := range oldPodTemplateAnnotations { | ||||||
| 				actual, ok := newPodTemplateAnnotations[name] | 				actual, ok := newPodTemplateAnnotations[name] | ||||||
|   | |||||||
| @@ -10,13 +10,14 @@ func AreVolumesUsingSecrets(volumes []corev1.Volume, secrets map[string]*corev1. | |||||||
| 			return false | 			return false | ||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
| 	if len(volumes) == 0 { | 	return len(volumes) > 0 | ||||||
| 		return false |  | ||||||
| 	} |  | ||||||
| 	return true |  | ||||||
| } | } | ||||||
|  |  | ||||||
| func AppendUpdatedVolumeSecrets(volumes []corev1.Volume, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret { | func AppendUpdatedVolumeSecrets( | ||||||
|  | 	volumes []corev1.Volume, | ||||||
|  | 	secrets map[string]*corev1.Secret, | ||||||
|  | 	updatedDeploymentSecrets map[string]*corev1.Secret, | ||||||
|  | ) map[string]*corev1.Secret { | ||||||
| 	for i := 0; i < len(volumes); i++ { | 	for i := 0; i < len(volumes); i++ { | ||||||
| 		secret := IsVolumeUsingSecret(volumes[i], secrets) | 		secret := IsVolumeUsingSecret(volumes[i], secrets) | ||||||
| 		if secret != nil { | 		if secret != nil { | ||||||
|   | |||||||
							
								
								
									
										8
									
								
								pkg/testhelper/defaults/defaults.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								pkg/testhelper/defaults/defaults.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | |||||||
|  | package defaults | ||||||
|  |  | ||||||
|  | import "time" | ||||||
|  |  | ||||||
|  | const ( | ||||||
|  | 	E2EInterval = 1 * time.Second | ||||||
|  | 	E2ETimeout  = 1 * time.Minute | ||||||
|  | ) | ||||||
							
								
								
									
										23
									
								
								pkg/testhelper/kind/kind.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								pkg/testhelper/kind/kind.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | |||||||
|  | package kind | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"os" | ||||||
|  |  | ||||||
|  | 	//nolint:staticcheck // ST1001 | ||||||
|  | 	. "github.com/onsi/ginkgo/v2" | ||||||
|  | 	//nolint:staticcheck // ST1001 | ||||||
|  | 	. "github.com/onsi/gomega" | ||||||
|  |  | ||||||
|  | 	"github.com/1Password/onepassword-operator/pkg/testhelper/system" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | // LoadImageToKind loads a local docker image to the Kind cluster | ||||||
|  | func LoadImageToKind(imageName string) { | ||||||
|  | 	By("Loading the operator image on Kind") | ||||||
|  | 	clusterName := "kind" | ||||||
|  | 	if value, ok := os.LookupEnv("KIND_CLUSTER"); ok { | ||||||
|  | 		clusterName = value | ||||||
|  | 	} | ||||||
|  | 	_, err := system.Run("kind", "load", "docker-image", imageName, "--name", clusterName) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  | } | ||||||
							
								
								
									
										125
									
								
								pkg/testhelper/kube/deployment.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										125
									
								
								pkg/testhelper/kube/deployment.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,125 @@ | |||||||
|  | package kube | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"context" | ||||||
|  | 	"time" | ||||||
|  |  | ||||||
|  | 	//nolint:staticcheck // ST1001 | ||||||
|  | 	. "github.com/onsi/ginkgo/v2" | ||||||
|  | 	//nolint:staticcheck // ST1001 | ||||||
|  | 	. "github.com/onsi/gomega" | ||||||
|  | 	appsv1 "k8s.io/api/apps/v1" | ||||||
|  | 	corev1 "k8s.io/api/core/v1" | ||||||
|  | 	"sigs.k8s.io/controller-runtime/pkg/client" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | type Deployment struct { | ||||||
|  | 	client client.Client | ||||||
|  | 	config *Config | ||||||
|  | 	name   string | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func (d *Deployment) Get(ctx context.Context) *appsv1.Deployment { | ||||||
|  | 	// Derive a short-lived context so this API call won't hang indefinitely. | ||||||
|  | 	c, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||||
|  | 	defer cancel() | ||||||
|  |  | ||||||
|  | 	deployment := &appsv1.Deployment{} | ||||||
|  | 	err := d.client.Get(c, client.ObjectKey{Name: d.name, Namespace: d.config.Namespace}, deployment) | ||||||
|  | 	Expect(err).ToNot(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	return deployment | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func (d *Deployment) ReadEnvVar(ctx context.Context, envVarName string) string { | ||||||
|  | 	By("Reading " + envVarName + " value from deployment/" + d.name) | ||||||
|  | 	deployment := d.Get(ctx) | ||||||
|  |  | ||||||
|  | 	// Search env across all containers | ||||||
|  | 	found := "" | ||||||
|  | 	for _, container := range deployment.Spec.Template.Spec.Containers { | ||||||
|  | 		for _, env := range container.Env { | ||||||
|  | 			if env.Name == envVarName && env.Value != "" { | ||||||
|  | 				found = env.Value | ||||||
|  | 				break | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	Expect(found).NotTo(BeEmpty()) | ||||||
|  | 	return found | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func (d *Deployment) PatchEnvVars(ctx context.Context, upsert []corev1.EnvVar, remove []string) { | ||||||
|  | 	By("Patching env variables for deployment/" + d.name) | ||||||
|  | 	deployment := d.Get(ctx) | ||||||
|  | 	deploymentCopy := deployment.DeepCopy() | ||||||
|  | 	container := &deployment.Spec.Template.Spec.Containers[0] | ||||||
|  |  | ||||||
|  | 	// Build removal set for quick lookup | ||||||
|  | 	toRemove := make(map[string]struct{}, len(remove)) | ||||||
|  | 	for _, n := range remove { | ||||||
|  | 		toRemove[n] = struct{}{} | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Build upsert map for quick lookup | ||||||
|  | 	upserts := make(map[string]corev1.EnvVar, len(upsert)) | ||||||
|  | 	for _, e := range upsert { | ||||||
|  | 		upserts[e.Name] = e | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Filter existing envs: keep if not in remove and not being upserted | ||||||
|  | 	filtered := make([]corev1.EnvVar, 0, len(container.Env)) | ||||||
|  | 	for _, e := range container.Env { | ||||||
|  | 		if _, ok := toRemove[e.Name]; ok { | ||||||
|  | 			continue | ||||||
|  | 		} | ||||||
|  | 		if newE, ok := upserts[e.Name]; ok { | ||||||
|  | 			filtered = append(filtered, newE) // replace existing | ||||||
|  | 			delete(upserts, e.Name)           // delete from map to not use once again | ||||||
|  | 		} else { | ||||||
|  | 			filtered = append(filtered, e) | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Append any new envs that weren’t already in the container | ||||||
|  | 	for _, e := range upserts { | ||||||
|  | 		filtered = append(filtered, e) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	container.Env = filtered | ||||||
|  |  | ||||||
|  | 	// Derive a short-lived context so this API call won't hang indefinitely. | ||||||
|  | 	c, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||||
|  | 	defer cancel() | ||||||
|  |  | ||||||
|  | 	err := d.client.Patch(c, deployment, client.MergeFrom(deploymentCopy)) | ||||||
|  | 	Expect(err).ToNot(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	// wait for new deployment to roll out | ||||||
|  | 	d.WaitDeploymentRolledOut(ctx) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // WaitDeploymentRolledOut waits for deployment to finish a rollout. | ||||||
|  | func (d *Deployment) WaitDeploymentRolledOut(ctx context.Context) { | ||||||
|  | 	By("Waiting for deployment/" + d.name + " to roll out") | ||||||
|  |  | ||||||
|  | 	deployment := d.Get(ctx) | ||||||
|  | 	targetGen := deployment.Generation | ||||||
|  |  | ||||||
|  | 	Eventually(func(g Gomega) error { | ||||||
|  | 		newDeployment := d.Get(ctx) | ||||||
|  | 		g.Expect(newDeployment.Status.ObservedGeneration).To(BeNumerically(">=", targetGen)) | ||||||
|  |  | ||||||
|  | 		desired := int32(1) | ||||||
|  | 		if newDeployment.Spec.Replicas != nil { | ||||||
|  | 			desired = *newDeployment.Spec.Replicas | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		g.Expect(newDeployment.Status.UpdatedReplicas).To(Equal(desired)) | ||||||
|  | 		g.Expect(newDeployment.Status.AvailableReplicas).To(Equal(desired)) | ||||||
|  | 		g.Expect(newDeployment.Status.Replicas).To(Equal(desired)) | ||||||
|  |  | ||||||
|  | 		return nil | ||||||
|  | 	}, d.config.TestConfig.Timeout, d.config.TestConfig.Interval).Should(Succeed()) | ||||||
|  | } | ||||||
							
								
								
									
										224
									
								
								pkg/testhelper/kube/kube.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										224
									
								
								pkg/testhelper/kube/kube.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,224 @@ | |||||||
|  | package kube | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"context" | ||||||
|  | 	"fmt" | ||||||
|  | 	"os" | ||||||
|  | 	"path/filepath" | ||||||
|  | 	"time" | ||||||
|  |  | ||||||
|  | 	//nolint:staticcheck // ST1001 | ||||||
|  | 	. "github.com/onsi/ginkgo/v2" | ||||||
|  | 	//nolint:staticcheck // ST1001 | ||||||
|  | 	. "github.com/onsi/gomega" | ||||||
|  | 	appsv1 "k8s.io/api/apps/v1" | ||||||
|  | 	corev1 "k8s.io/api/core/v1" | ||||||
|  | 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" | ||||||
|  | 	apix "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" | ||||||
|  | 	apierrors "k8s.io/apimachinery/pkg/api/errors" | ||||||
|  | 	"k8s.io/apimachinery/pkg/api/meta" | ||||||
|  | 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||||||
|  | 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" | ||||||
|  | 	"k8s.io/apimachinery/pkg/runtime" | ||||||
|  | 	utilruntime "k8s.io/apimachinery/pkg/util/runtime" | ||||||
|  | 	"k8s.io/apimachinery/pkg/util/yaml" | ||||||
|  | 	"k8s.io/client-go/rest" | ||||||
|  | 	"k8s.io/client-go/tools/clientcmd" | ||||||
|  | 	"sigs.k8s.io/controller-runtime/pkg/client" | ||||||
|  | 	"sigs.k8s.io/controller-runtime/pkg/client/apiutil" | ||||||
|  |  | ||||||
|  | 	apiv1 "github.com/1Password/onepassword-operator/api/v1" | ||||||
|  | 	"github.com/1Password/onepassword-operator/pkg/testhelper/defaults" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | type TestConfig struct { | ||||||
|  | 	Timeout  time.Duration | ||||||
|  | 	Interval time.Duration | ||||||
|  | } | ||||||
|  |  | ||||||
|  | type Config struct { | ||||||
|  | 	Namespace    string | ||||||
|  | 	ManifestsDir string | ||||||
|  | 	TestConfig   *TestConfig | ||||||
|  | 	CRDs         []string | ||||||
|  | } | ||||||
|  |  | ||||||
|  | type Kube struct { | ||||||
|  | 	Config *Config | ||||||
|  | 	Client client.Client | ||||||
|  | 	Mapper meta.RESTMapper | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func NewKubeClient(config *Config) *Kube { | ||||||
|  | 	By("Creating a kubernetes client") | ||||||
|  | 	kubeconfig := os.Getenv("KUBECONFIG") | ||||||
|  | 	if kubeconfig == "" { | ||||||
|  | 		home, _ := os.UserHomeDir() | ||||||
|  | 		kubeconfig = filepath.Join(home, ".kube", "config") | ||||||
|  | 	} | ||||||
|  | 	restConfig, err := clientcmd.BuildConfigFromFlags("", kubeconfig) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	// Install CRDs first (so discovery sees them) | ||||||
|  | 	installCRDs(context.Background(), restConfig, config.CRDs) | ||||||
|  |  | ||||||
|  | 	// Build an http.Client from restConfig | ||||||
|  | 	httpClient, err := rest.HTTPClientFor(restConfig) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	// Create a Dynamic RESTMapper that uses restConfig | ||||||
|  | 	rm, err := apiutil.NewDynamicRESTMapper(restConfig, httpClient) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	scheme := runtime.NewScheme() | ||||||
|  | 	utilruntime.Must(corev1.AddToScheme(scheme)) | ||||||
|  | 	utilruntime.Must(appsv1.AddToScheme(scheme)) | ||||||
|  | 	utilruntime.Must(apiv1.AddToScheme(scheme)) // add OnePasswordItem to scheme | ||||||
|  |  | ||||||
|  | 	kubernetesClient, err := client.New(restConfig, client.Options{ | ||||||
|  | 		Scheme: scheme, | ||||||
|  | 		Mapper: rm, | ||||||
|  | 	}) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	// update the current context’s namespace in kubeconfig | ||||||
|  | 	pathOpts := clientcmd.NewDefaultPathOptions() | ||||||
|  | 	cfg, err := pathOpts.GetStartingConfig() | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	currentContext := cfg.CurrentContext | ||||||
|  | 	Expect(currentContext).NotTo(BeEmpty(), "no current kube context is set in kubeconfig") | ||||||
|  |  | ||||||
|  | 	ctx, ok := cfg.Contexts[currentContext] | ||||||
|  | 	Expect(ok).To(BeTrue(), fmt.Sprintf("current context %q not found in kubeconfig", currentContext)) | ||||||
|  |  | ||||||
|  | 	ctx.Namespace = config.Namespace | ||||||
|  | 	err = clientcmd.ModifyConfig(pathOpts, *cfg, true) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	return &Kube{ | ||||||
|  | 		Config: config, | ||||||
|  | 		Client: kubernetesClient, | ||||||
|  | 		Mapper: rm, | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func (k *Kube) Secret(name string) *Secret { | ||||||
|  | 	return &Secret{ | ||||||
|  | 		client: k.Client, | ||||||
|  | 		config: k.Config, | ||||||
|  | 		name:   name, | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func (k *Kube) Deployment(name string) *Deployment { | ||||||
|  | 	return &Deployment{ | ||||||
|  | 		client: k.Client, | ||||||
|  | 		config: k.Config, | ||||||
|  | 		name:   name, | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func (k *Kube) Pod(selector map[string]string) *Pod { | ||||||
|  | 	return &Pod{ | ||||||
|  | 		client:   k.Client, | ||||||
|  | 		config:   k.Config, | ||||||
|  | 		selector: selector, | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func (k *Kube) Namespace(name string) *Namespace { | ||||||
|  | 	return &Namespace{ | ||||||
|  | 		client: k.Client, | ||||||
|  | 		config: k.Config, | ||||||
|  | 		name:   name, | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // ApplyOnePasswordItem applies a OnePasswordItem manifest. | ||||||
|  | func (k *Kube) ApplyOnePasswordItem(ctx context.Context, fileName string) { | ||||||
|  | 	By("Applying " + fileName) | ||||||
|  |  | ||||||
|  | 	// Derive a short-lived context so this API call won't hang indefinitely. | ||||||
|  | 	c, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||||
|  | 	defer cancel() | ||||||
|  |  | ||||||
|  | 	data, err := os.ReadFile(k.Config.ManifestsDir + "/" + fileName) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	// Decode YAML -> JSON -> unstructured.Unstructured | ||||||
|  | 	jsonBytes, err := yaml.ToJSON(data) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	var obj unstructured.Unstructured | ||||||
|  | 	Expect(obj.UnmarshalJSON(jsonBytes)).To(Succeed()) | ||||||
|  |  | ||||||
|  | 	// Default namespace for namespaced resources if not set in YAML | ||||||
|  | 	if obj.GetNamespace() == "" && k.Config.Namespace != "" { | ||||||
|  | 		gvk := obj.GroupVersionKind() | ||||||
|  | 		mapping, mapErr := k.Mapper.RESTMapping(gvk.GroupKind(), gvk.Version) | ||||||
|  | 		if mapErr == nil && mapping.Scope.Name() == meta.RESTScopeNameNamespace { | ||||||
|  | 			obj.SetNamespace(k.Config.Namespace) | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Server-Side Apply (create or update) | ||||||
|  | 	patchOpts := []client.PatchOption{ | ||||||
|  | 		client.FieldOwner("onepassword-e2e"), | ||||||
|  | 		client.ForceOwnership, // to force-take conflicting fields | ||||||
|  | 	} | ||||||
|  | 	Expect(k.Client.Patch(c, &obj, client.Apply, patchOpts...)).To(Succeed()) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func installCRDs(ctx context.Context, restConfig *rest.Config, crdFiles []string) { | ||||||
|  | 	apixClient, err := apix.NewForConfig(restConfig) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	for _, f := range crdFiles { | ||||||
|  | 		By("Installing CRD " + f) | ||||||
|  | 		b, err := os.ReadFile(filepath.Clean(f)) | ||||||
|  | 		Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 		var crd apiextv1.CustomResourceDefinition | ||||||
|  | 		err = yaml.Unmarshal(b, &crd) | ||||||
|  | 		Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 		// Create or Update | ||||||
|  | 		_, err = apixClient.ApiextensionsV1().CustomResourceDefinitions().Create(ctx, &crd, metav1.CreateOptions{}) | ||||||
|  | 		if apierrors.IsAlreadyExists(err) { | ||||||
|  | 			existing, getErr := apixClient.ApiextensionsV1().CustomResourceDefinitions().Get(ctx, crd.Name, metav1.GetOptions{}) | ||||||
|  | 			Expect(getErr).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 			crd.ResourceVersion = existing.ResourceVersion | ||||||
|  | 			_, err = apixClient.ApiextensionsV1().CustomResourceDefinitions().Update(ctx, &crd, metav1.UpdateOptions{}) | ||||||
|  | 		} | ||||||
|  | 		Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 		waitCRDEstablished(ctx, apixClient, crd.Name) | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // waitCRDEstablished Wait until the CRD reaches Established=True, retrying until the suite timeout. | ||||||
|  | func waitCRDEstablished(ctx context.Context, apixClient *apix.Clientset, name string) { | ||||||
|  | 	By("Waiting for CRD " + name + " to be Established") | ||||||
|  |  | ||||||
|  | 	Eventually(func(g Gomega) { | ||||||
|  | 		// Short per-attempt timeout so a single Get can't hang the whole Eventually loop. | ||||||
|  | 		attemptCtx, cancel := context.WithTimeout(ctx, 5*time.Second) | ||||||
|  | 		defer cancel() | ||||||
|  |  | ||||||
|  | 		crd, err := apixClient.ApiextensionsV1(). | ||||||
|  | 			CustomResourceDefinitions(). | ||||||
|  | 			Get(attemptCtx, name, metav1.GetOptions{}) | ||||||
|  | 		g.Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 		established := false | ||||||
|  | 		for _, c := range crd.Status.Conditions { | ||||||
|  | 			if c.Type == apiextv1.Established && c.Status == apiextv1.ConditionTrue { | ||||||
|  | 				established = true | ||||||
|  | 				break | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  | 		g.Expect(established).To(BeTrue(), "CRD %q is not Established yet", name) | ||||||
|  | 	}, defaults.E2ETimeout, defaults.E2EInterval).Should(Succeed()) | ||||||
|  | } | ||||||
							
								
								
									
										41
									
								
								pkg/testhelper/kube/namespace.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										41
									
								
								pkg/testhelper/kube/namespace.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,41 @@ | |||||||
|  | package kube | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"context" | ||||||
|  | 	//nolint:staticcheck // ST1001 | ||||||
|  | 	. "github.com/onsi/ginkgo/v2" | ||||||
|  | 	//nolint:staticcheck // ST1001 | ||||||
|  | 	. "github.com/onsi/gomega" | ||||||
|  | 	corev1 "k8s.io/api/core/v1" | ||||||
|  | 	"k8s.io/apimachinery/pkg/labels" | ||||||
|  | 	"sigs.k8s.io/controller-runtime/pkg/client" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | type Namespace struct { | ||||||
|  | 	client client.Client | ||||||
|  | 	config *Config | ||||||
|  | 	name   string | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // LabelNamespace applies the given labels to the specified namespace | ||||||
|  | func (n *Namespace) LabelNamespace(ctx context.Context, labelsMap map[string]string) { | ||||||
|  | 	if len(labelsMap) == 0 { | ||||||
|  | 		return | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	By("Setting labelsMap " + labels.Set(labelsMap).String() + " to namespace/" + n.name) | ||||||
|  | 	ns := &corev1.Namespace{} | ||||||
|  | 	err := n.client.Get(ctx, client.ObjectKey{Name: n.name}, ns) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	if ns.Labels == nil { | ||||||
|  | 		ns.Labels = map[string]string{} | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	for k, v := range labelsMap { | ||||||
|  | 		ns.Labels[k] = v | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	err = n.client.Update(ctx, ns) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  | } | ||||||
							
								
								
									
										47
									
								
								pkg/testhelper/kube/pod.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										47
									
								
								pkg/testhelper/kube/pod.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,47 @@ | |||||||
|  | package kube | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"context" | ||||||
|  | 	"time" | ||||||
|  |  | ||||||
|  | 	//nolint:staticcheck // ST1001 | ||||||
|  | 	. "github.com/onsi/ginkgo/v2" | ||||||
|  | 	//nolint:staticcheck // ST1001 | ||||||
|  | 	. "github.com/onsi/gomega" | ||||||
|  | 	corev1 "k8s.io/api/core/v1" | ||||||
|  | 	"k8s.io/apimachinery/pkg/labels" | ||||||
|  | 	"sigs.k8s.io/controller-runtime/pkg/client" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | type Pod struct { | ||||||
|  | 	client   client.Client | ||||||
|  | 	config   *Config | ||||||
|  | 	selector map[string]string | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func (p *Pod) WaitingForRunningPod(ctx context.Context) { | ||||||
|  | 	By("Waiting for the pod " + labels.Set(p.selector).String() + " to be 'Running'") | ||||||
|  |  | ||||||
|  | 	Eventually(func(g Gomega) { | ||||||
|  | 		// short per-attempt timeout to avoid hanging calls while Eventually polls | ||||||
|  | 		attemptCtx, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||||
|  | 		defer cancel() | ||||||
|  |  | ||||||
|  | 		var pods corev1.PodList | ||||||
|  | 		listOpts := []client.ListOption{ | ||||||
|  | 			client.InNamespace(p.config.Namespace), | ||||||
|  | 			client.MatchingLabels(p.selector), | ||||||
|  | 		} | ||||||
|  | 		g.Expect(p.client.List(attemptCtx, &pods, listOpts...)).To(Succeed()) | ||||||
|  | 		g.Expect(pods.Items).NotTo(BeEmpty(), "no pods found with selector %q", labels.Set(p.selector).String()) | ||||||
|  |  | ||||||
|  | 		foundRunning := false | ||||||
|  | 		for _, p := range pods.Items { | ||||||
|  | 			if p.Status.Phase == corev1.PodRunning { | ||||||
|  | 				foundRunning = true | ||||||
|  | 				break | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  | 		g.Expect(foundRunning).To(BeTrue(), "pod not Running yet") | ||||||
|  | 	}, p.config.TestConfig.Timeout, p.config.TestConfig.Interval).Should(Succeed()) | ||||||
|  | } | ||||||
							
								
								
									
										141
									
								
								pkg/testhelper/kube/secret.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										141
									
								
								pkg/testhelper/kube/secret.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,141 @@ | |||||||
|  | package kube | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"context" | ||||||
|  | 	"encoding/base64" | ||||||
|  | 	"os" | ||||||
|  | 	"path/filepath" | ||||||
|  | 	"time" | ||||||
|  |  | ||||||
|  | 	//nolint:staticcheck // ST1001 | ||||||
|  | 	. "github.com/onsi/ginkgo/v2" | ||||||
|  | 	//nolint:staticcheck // ST1001 | ||||||
|  | 	. "github.com/onsi/gomega" | ||||||
|  | 	corev1 "k8s.io/api/core/v1" | ||||||
|  | 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||||||
|  | 	"sigs.k8s.io/controller-runtime/pkg/client" | ||||||
|  |  | ||||||
|  | 	"github.com/1Password/onepassword-operator/pkg/testhelper/system" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | type Secret struct { | ||||||
|  | 	client client.Client | ||||||
|  | 	config *Config | ||||||
|  | 	name   string | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // CreateFromEnvVar creates a kubernetes secret from an environment variable | ||||||
|  | func (s *Secret) CreateFromEnvVar(ctx context.Context, envVar string) *corev1.Secret { | ||||||
|  | 	By("Creating '" + s.name + "' secret from environment variable") | ||||||
|  |  | ||||||
|  | 	// Derive a short-lived context so this API call won't hang indefinitely. | ||||||
|  | 	c, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||||
|  | 	defer cancel() | ||||||
|  |  | ||||||
|  | 	value, ok := os.LookupEnv(envVar) | ||||||
|  | 	Expect(ok).To(BeTrue()) | ||||||
|  | 	Expect(value).NotTo(BeEmpty()) | ||||||
|  |  | ||||||
|  | 	secret := &corev1.Secret{ | ||||||
|  | 		ObjectMeta: metav1.ObjectMeta{ | ||||||
|  | 			Name:      s.name, | ||||||
|  | 			Namespace: s.config.Namespace, | ||||||
|  | 		}, | ||||||
|  | 		StringData: map[string]string{ | ||||||
|  | 			"token": value, | ||||||
|  | 		}, | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	err := s.client.Create(c, secret) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	return secret | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // CreateFromFile creates a kubernetes secret from a file | ||||||
|  | func (s *Secret) CreateFromFile(ctx context.Context, fileName string, content []byte) *corev1.Secret { | ||||||
|  | 	By("Creating '" + s.name + "' secret from file " + fileName) | ||||||
|  |  | ||||||
|  | 	// Derive a short-lived context so this API call won't hang indefinitely. | ||||||
|  | 	c, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||||
|  | 	defer cancel() | ||||||
|  |  | ||||||
|  | 	secret := &corev1.Secret{ | ||||||
|  | 		ObjectMeta: metav1.ObjectMeta{ | ||||||
|  | 			Name:      s.name, | ||||||
|  | 			Namespace: s.config.Namespace, | ||||||
|  | 		}, | ||||||
|  | 		Data: map[string][]byte{ | ||||||
|  | 			filepath.Base(fileName): content, | ||||||
|  | 		}, | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	err := s.client.Create(c, secret) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	return secret | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // CreateOpCredentials creates a kubernetes secret from 1password-credentials.json file in the project root | ||||||
|  | // encodes it in base64 and saves it to op-session file | ||||||
|  | func (s *Secret) CreateOpCredentials(ctx context.Context) *corev1.Secret { | ||||||
|  | 	rootDir, err := system.GetProjectRoot() | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	credentialsFilePath := filepath.Join(rootDir, "1password-credentials.json") | ||||||
|  | 	data, err := os.ReadFile(credentialsFilePath) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	encoded := base64.RawURLEncoding.EncodeToString(data) | ||||||
|  |  | ||||||
|  | 	return s.CreateFromFile(ctx, "op-session", []byte(encoded)) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Get retrieves a kubernetes secret | ||||||
|  | func (s *Secret) Get(ctx context.Context) *corev1.Secret { | ||||||
|  | 	By("Getting '" + s.name + "' secret") | ||||||
|  |  | ||||||
|  | 	// Derive a short-lived context so this API call won't hang indefinitely. | ||||||
|  | 	c, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||||
|  | 	defer cancel() | ||||||
|  |  | ||||||
|  | 	secret := &corev1.Secret{} | ||||||
|  | 	err := s.client.Get(c, client.ObjectKey{Name: s.name, Namespace: s.config.Namespace}, secret) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 	return secret | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Delete deletes a kubernetes secret | ||||||
|  | func (s *Secret) Delete(ctx context.Context) { | ||||||
|  | 	By("Deleting '" + s.name + "' secret") | ||||||
|  |  | ||||||
|  | 	// Derive a short-lived context so this API call won't hang indefinitely. | ||||||
|  | 	c, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||||
|  | 	defer cancel() | ||||||
|  |  | ||||||
|  | 	secret := &corev1.Secret{ | ||||||
|  | 		ObjectMeta: metav1.ObjectMeta{ | ||||||
|  | 			Name:      s.name, | ||||||
|  | 			Namespace: s.config.Namespace, | ||||||
|  | 		}, | ||||||
|  | 	} | ||||||
|  | 	err := s.client.Delete(c, secret) | ||||||
|  | 	Expect(err).NotTo(HaveOccurred()) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // CheckIfExists repeatedly attempts to retrieve the given Secret | ||||||
|  | // from the cluster until it is found or the test's timeout expires. | ||||||
|  | func (s *Secret) CheckIfExists(ctx context.Context) { | ||||||
|  | 	By("Checking '" + s.name + "' secret") | ||||||
|  |  | ||||||
|  | 	Eventually(func(g Gomega) { | ||||||
|  | 		// Derive a short-lived context so this API call won't hang indefinitely. | ||||||
|  | 		attemptCtx, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||||
|  | 		defer cancel() | ||||||
|  |  | ||||||
|  | 		secret := &corev1.Secret{} | ||||||
|  | 		err := s.client.Get(attemptCtx, client.ObjectKey{Name: s.name, Namespace: s.config.Namespace}, secret) | ||||||
|  | 		g.Expect(err).NotTo(HaveOccurred()) | ||||||
|  | 	}, s.config.TestConfig.Timeout, s.config.TestConfig.Interval).Should(Succeed()) | ||||||
|  | } | ||||||
							
								
								
									
										32
									
								
								pkg/testhelper/op/op.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										32
									
								
								pkg/testhelper/op/op.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,32 @@ | |||||||
|  | package op | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"fmt" | ||||||
|  |  | ||||||
|  | 	"github.com/1Password/onepassword-operator/pkg/testhelper/system" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | type Field string | ||||||
|  |  | ||||||
|  | const ( | ||||||
|  | 	FieldUsername = "username" | ||||||
|  | 	FieldPassword = "password" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | // UpdateItemPassword updates the password of an item in 1Password | ||||||
|  | func UpdateItemPassword(item string) error { | ||||||
|  | 	_, err := system.Run("op", "item", "edit", item, "--generate-password=letters,digits,symbols,32") | ||||||
|  | 	if err != nil { | ||||||
|  | 		return err | ||||||
|  | 	} | ||||||
|  | 	return nil | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // ReadItemField reads the password of an item in 1Password | ||||||
|  | func ReadItemField(item, vault string, field Field) (string, error) { | ||||||
|  | 	output, err := system.Run("op", "read", fmt.Sprintf("op://%s/%s/%s", vault, item, field)) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return "", err | ||||||
|  | 	} | ||||||
|  | 	return output, nil | ||||||
|  | } | ||||||
							
								
								
									
										53
									
								
								pkg/testhelper/system/system.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										53
									
								
								pkg/testhelper/system/system.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,53 @@ | |||||||
|  | package system | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"fmt" | ||||||
|  | 	"os" | ||||||
|  | 	"os/exec" | ||||||
|  | 	"path/filepath" | ||||||
|  | 	"strings" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | // Run executes the provided command within this context | ||||||
|  | func Run(name string, args ...string) (string, error) { | ||||||
|  | 	cmd := exec.Command(name, args...) | ||||||
|  |  | ||||||
|  | 	rootDir, err := GetProjectRoot() | ||||||
|  | 	if err != nil { | ||||||
|  | 		return "", err | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	// Command will run from project root | ||||||
|  | 	cmd.Dir = rootDir | ||||||
|  |  | ||||||
|  | 	command := strings.Join(cmd.Args, " ") | ||||||
|  | 	output, err := cmd.CombinedOutput() | ||||||
|  | 	if err != nil { | ||||||
|  | 		return string(output), fmt.Errorf("%s failed with error: (%v) %s", command, err, string(output)) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return string(output), nil | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func GetProjectRoot() (string, error) { | ||||||
|  | 	dir, err := os.Getwd() | ||||||
|  | 	if err != nil { | ||||||
|  | 		return "", err | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	for { | ||||||
|  | 		// check if go.mod exists in current dir | ||||||
|  | 		modFile := filepath.Join(dir, "go.mod") | ||||||
|  | 		if _, err := os.Stat(modFile); err == nil { | ||||||
|  | 			return dir, nil | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		// move one level up | ||||||
|  | 		parent := filepath.Dir(dir) | ||||||
|  | 		if parent == dir { | ||||||
|  | 			// reached filesystem root | ||||||
|  | 			return "", fmt.Errorf("project root not found (no go.mod)") | ||||||
|  | 		} | ||||||
|  | 		dir = parent | ||||||
|  | 	} | ||||||
|  | } | ||||||
							
								
								
									
										14
									
								
								test/e2e/e2e_suite_test.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								test/e2e/e2e_suite_test.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,14 @@ | |||||||
|  | package e2e | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"testing" | ||||||
|  |  | ||||||
|  | 	. "github.com/onsi/ginkgo/v2" | ||||||
|  | 	. "github.com/onsi/gomega" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | // Run e2e tests using the Ginkgo runner. | ||||||
|  | func TestE2E(t *testing.T) { | ||||||
|  | 	RegisterFailHandler(Fail) | ||||||
|  | 	RunSpecs(t, "onepassword-operator e2e suite") | ||||||
|  | } | ||||||
							
								
								
									
										230
									
								
								test/e2e/e2e_test.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										230
									
								
								test/e2e/e2e_test.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,230 @@ | |||||||
|  | package e2e | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"context" | ||||||
|  | 	"path/filepath" | ||||||
|  | 	"strconv" | ||||||
|  | 	"time" | ||||||
|  |  | ||||||
|  | 	//nolint:staticcheck // ST1001 | ||||||
|  | 	. "github.com/onsi/ginkgo/v2" | ||||||
|  | 	//nolint:staticcheck // ST1001 | ||||||
|  | 	. "github.com/onsi/gomega" | ||||||
|  | 	corev1 "k8s.io/api/core/v1" | ||||||
|  |  | ||||||
|  | 	"github.com/1Password/onepassword-operator/pkg/testhelper/defaults" | ||||||
|  | 	"github.com/1Password/onepassword-operator/pkg/testhelper/kind" | ||||||
|  | 	"github.com/1Password/onepassword-operator/pkg/testhelper/kube" | ||||||
|  | 	"github.com/1Password/onepassword-operator/pkg/testhelper/op" | ||||||
|  | 	"github.com/1Password/onepassword-operator/pkg/testhelper/system" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | const ( | ||||||
|  | 	operatorImageName = "1password/onepassword-operator:latest" | ||||||
|  | 	vaultName         = "operator-acceptance-tests" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | var kubeClient *kube.Kube | ||||||
|  |  | ||||||
|  | var _ = Describe("Onepassword Operator e2e", Ordered, func() { | ||||||
|  | 	ctx := context.Background() | ||||||
|  |  | ||||||
|  | 	BeforeAll(func() { | ||||||
|  | 		rootDir, err := system.GetProjectRoot() | ||||||
|  | 		Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 		kubeClient = kube.NewKubeClient(&kube.Config{ | ||||||
|  | 			Namespace:    "default", | ||||||
|  | 			ManifestsDir: filepath.Join("manifests"), | ||||||
|  | 			TestConfig: &kube.TestConfig{ | ||||||
|  | 				Timeout:  defaults.E2ETimeout, | ||||||
|  | 				Interval: defaults.E2EInterval, | ||||||
|  | 			}, | ||||||
|  | 			CRDs: []string{ | ||||||
|  | 				filepath.Join(rootDir, "config", "crd", "bases", "onepassword.com_onepassworditems.yaml"), | ||||||
|  | 			}, | ||||||
|  | 		}) | ||||||
|  |  | ||||||
|  | 		By("Building the Operator image") | ||||||
|  | 		_, err = system.Run("make", "docker-build") | ||||||
|  | 		Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 		kind.LoadImageToKind(operatorImageName) | ||||||
|  |  | ||||||
|  | 		kubeClient.Secret("op-credentials").CreateOpCredentials(ctx) | ||||||
|  | 		kubeClient.Secret("op-credentials").CheckIfExists(ctx) | ||||||
|  |  | ||||||
|  | 		kubeClient.Secret("onepassword-token").CreateFromEnvVar(ctx, "OP_CONNECT_TOKEN") | ||||||
|  | 		kubeClient.Secret("onepassword-token").CheckIfExists(ctx) | ||||||
|  |  | ||||||
|  | 		kubeClient.Secret("onepassword-service-account-token").CreateFromEnvVar(ctx, "OP_SERVICE_ACCOUNT_TOKEN") | ||||||
|  | 		kubeClient.Secret("onepassword-service-account-token").CheckIfExists(ctx) | ||||||
|  |  | ||||||
|  | 		_, err = system.Run("make", "deploy") | ||||||
|  | 		Expect(err).NotTo(HaveOccurred()) | ||||||
|  | 		kubeClient.Pod(map[string]string{"name": "onepassword-connect-operator"}).WaitingForRunningPod(ctx) | ||||||
|  | 	}) | ||||||
|  |  | ||||||
|  | 	Context("Use the operator with Connect", func() { | ||||||
|  | 		BeforeAll(func() { | ||||||
|  | 			kubeClient.Pod(map[string]string{"app": "onepassword-connect"}).WaitingForRunningPod(ctx) | ||||||
|  | 		}) | ||||||
|  |  | ||||||
|  | 		runCommonTestCases(ctx) | ||||||
|  | 	}) | ||||||
|  |  | ||||||
|  | 	Context("Use the operator with Service Account", func() { | ||||||
|  | 		BeforeAll(func() { | ||||||
|  | 			kubeClient.Deployment("onepassword-connect-operator").PatchEnvVars(ctx, []corev1.EnvVar{ | ||||||
|  | 				{Name: "MANAGE_CONNECT", Value: "false"}, | ||||||
|  | 				{ | ||||||
|  | 					Name: "OP_SERVICE_ACCOUNT_TOKEN", | ||||||
|  | 					ValueFrom: &corev1.EnvVarSource{ | ||||||
|  | 						SecretKeyRef: &corev1.SecretKeySelector{ | ||||||
|  | 							LocalObjectReference: corev1.LocalObjectReference{ | ||||||
|  | 								Name: "onepassword-service-account-token", | ||||||
|  | 							}, | ||||||
|  | 							Key: "token", | ||||||
|  | 						}, | ||||||
|  | 					}, | ||||||
|  | 				}, | ||||||
|  | 			}, []string{"OP_CONNECT_HOST", "OP_CONNECT_TOKEN"}) | ||||||
|  |  | ||||||
|  | 			kubeClient.Secret("login").Delete(ctx)             // remove secret crated in previous test | ||||||
|  | 			kubeClient.Secret("secret-ignored").Delete(ctx)    // remove secret crated in previous test | ||||||
|  | 			kubeClient.Secret("secret-for-update").Delete(ctx) // remove secret crated in previous test | ||||||
|  | 		}) | ||||||
|  |  | ||||||
|  | 		runCommonTestCases(ctx) | ||||||
|  | 	}) | ||||||
|  | }) | ||||||
|  |  | ||||||
|  | // runCommonTestCases contains test cases that are common to both Connect and Service Account authentication methods. | ||||||
|  | func runCommonTestCases(ctx context.Context) { | ||||||
|  | 	It("Should create secret from manifest file", func() { | ||||||
|  | 		By("Creating secret `login` from 1Password item") | ||||||
|  | 		kubeClient.ApplyOnePasswordItem(ctx, "secret.yaml") | ||||||
|  | 		kubeClient.Secret("login").CheckIfExists(ctx) | ||||||
|  | 	}) | ||||||
|  |  | ||||||
|  | 	It("Secret is updated after POOLING_INTERVAL", func() { | ||||||
|  | 		itemName := "secret-for-update" | ||||||
|  | 		secretName := itemName | ||||||
|  |  | ||||||
|  | 		By("Creating secret `" + secretName + "` from 1Password item") | ||||||
|  | 		kubeClient.ApplyOnePasswordItem(ctx, secretName+".yaml") | ||||||
|  | 		kubeClient.Secret(secretName).CheckIfExists(ctx) | ||||||
|  |  | ||||||
|  | 		By("Reading old password") | ||||||
|  | 		secret := kubeClient.Secret(secretName).Get(ctx) | ||||||
|  | 		oldPassword, ok := secret.Data["password"] | ||||||
|  | 		Expect(ok).To(BeTrue()) | ||||||
|  |  | ||||||
|  | 		By("Updating `" + secretName + "` 1Password item") | ||||||
|  | 		err := op.UpdateItemPassword(itemName) | ||||||
|  | 		Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 		// checking that password was updated | ||||||
|  | 		Eventually(func(g Gomega) { | ||||||
|  | 			// Derive a short-lived context so this API call won't hang indefinitely. | ||||||
|  | 			attemptCtx, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||||
|  | 			defer cancel() | ||||||
|  |  | ||||||
|  | 			secret = kubeClient.Secret(secretName).Get(attemptCtx) | ||||||
|  | 			g.Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 			newPassword, ok := secret.Data["password"] | ||||||
|  | 			g.Expect(ok).To(BeTrue()) | ||||||
|  | 			g.Expect(newPassword).NotTo(Equal(oldPassword)) | ||||||
|  | 		}, defaults.E2ETimeout, defaults.E2EInterval).Should(Succeed()) | ||||||
|  | 	}) | ||||||
|  |  | ||||||
|  | 	It("1Password item with `ignore-secret` doesn't pull updates to kubernetes secret", func() { | ||||||
|  | 		itemName := "secret-ignored" | ||||||
|  | 		secretName := itemName | ||||||
|  |  | ||||||
|  | 		By("Creating secret `" + secretName + "` from 1Password item") | ||||||
|  | 		kubeClient.ApplyOnePasswordItem(ctx, secretName+".yaml") | ||||||
|  | 		kubeClient.Secret(secretName).CheckIfExists(ctx) | ||||||
|  |  | ||||||
|  | 		By("Reading old password") | ||||||
|  | 		secret := kubeClient.Secret(secretName).Get(ctx) | ||||||
|  | 		oldPassword, ok := secret.Data["password"] | ||||||
|  | 		Expect(ok).To(BeTrue()) | ||||||
|  |  | ||||||
|  | 		By("Updating `" + secretName + "` 1Password item") | ||||||
|  | 		err := op.UpdateItemPassword(itemName) | ||||||
|  | 		Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 		newPassword, err := op.ReadItemField(itemName, vaultName, op.FieldPassword) | ||||||
|  | 		Expect(err).NotTo(HaveOccurred()) | ||||||
|  | 		Expect(newPassword).NotTo(BeEquivalentTo(oldPassword)) | ||||||
|  |  | ||||||
|  | 		// checking that password was NOT updated | ||||||
|  | 		Eventually(func(g Gomega) { | ||||||
|  | 			// Derive a short-lived context so this API call won't hang indefinitely. | ||||||
|  | 			attemptCtx, cancel := context.WithTimeout(ctx, 30*time.Second) | ||||||
|  | 			defer cancel() | ||||||
|  |  | ||||||
|  | 			intervalStr := kubeClient.Deployment("onepassword-connect-operator").ReadEnvVar(attemptCtx, "POLLING_INTERVAL") | ||||||
|  | 			Expect(intervalStr).NotTo(BeEmpty()) | ||||||
|  |  | ||||||
|  | 			i, err := strconv.Atoi(intervalStr) | ||||||
|  | 			Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 			// convert to duration in seconds | ||||||
|  | 			interval := time.Duration(i) * time.Second | ||||||
|  | 			// wait for one polling interval + 2 seconds to make sure updated secret is pulled | ||||||
|  | 			time.Sleep(interval + 2*time.Second) | ||||||
|  |  | ||||||
|  | 			secret = kubeClient.Secret(secretName).Get(attemptCtx) | ||||||
|  | 			g.Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 			currentPassword, ok := secret.Data["password"] | ||||||
|  | 			Expect(ok).To(BeTrue()) | ||||||
|  | 			Expect(currentPassword).To(BeEquivalentTo(oldPassword)) | ||||||
|  | 			Expect(currentPassword).NotTo(BeEquivalentTo(newPassword)) | ||||||
|  | 		}, defaults.E2ETimeout, defaults.E2EInterval).Should(Succeed()) | ||||||
|  | 	}) | ||||||
|  |  | ||||||
|  | 	It("AUTO_RESTART restarts deployments using 1Password secrets after item update", func() { | ||||||
|  | 		By("Enabling AUTO_RESTART") | ||||||
|  | 		kubeClient.Deployment("onepassword-connect-operator").PatchEnvVars(ctx, []corev1.EnvVar{ | ||||||
|  | 			{Name: "AUTO_RESTART", Value: "true"}, | ||||||
|  | 		}, nil) | ||||||
|  |  | ||||||
|  | 		DeferCleanup(func() { | ||||||
|  | 			By("Disabling AUTO_RESTART") | ||||||
|  | 			// disable AUTO_RESTART after test | ||||||
|  | 			kubeClient.Deployment("onepassword-connect-operator").PatchEnvVars(ctx, []corev1.EnvVar{ | ||||||
|  | 				{Name: "AUTO_RESTART", Value: "false"}, | ||||||
|  | 			}, nil) | ||||||
|  | 		}) | ||||||
|  |  | ||||||
|  | 		// Ensure the secret exists (created in earlier test), but apply again safely just in case | ||||||
|  | 		kubeClient.ApplyOnePasswordItem(ctx, "secret-for-update.yaml") | ||||||
|  | 		kubeClient.Secret("secret-for-update").CheckIfExists(ctx) | ||||||
|  |  | ||||||
|  | 		// add custom secret to the operator | ||||||
|  | 		kubeClient.Deployment("onepassword-connect-operator").PatchEnvVars(ctx, []corev1.EnvVar{ | ||||||
|  | 			{ | ||||||
|  | 				Name: "CUSTOM_SECRET", | ||||||
|  | 				ValueFrom: &corev1.EnvVarSource{ | ||||||
|  | 					SecretKeyRef: &corev1.SecretKeySelector{ | ||||||
|  | 						LocalObjectReference: corev1.LocalObjectReference{ | ||||||
|  | 							Name: "secret-for-update", | ||||||
|  | 						}, | ||||||
|  | 						Key: "password", | ||||||
|  | 					}, | ||||||
|  | 				}, | ||||||
|  | 			}, | ||||||
|  | 		}, nil) | ||||||
|  |  | ||||||
|  | 		By("Updating `secret-for-update` 1Password item") | ||||||
|  | 		err := op.UpdateItemPassword("secret-for-update") | ||||||
|  | 		Expect(err).NotTo(HaveOccurred()) | ||||||
|  |  | ||||||
|  | 		By("Checking the operator is restarted") | ||||||
|  | 		kubeClient.Deployment("onepassword-connect-operator").WaitDeploymentRolledOut(ctx) | ||||||
|  | 	}) | ||||||
|  | } | ||||||
							
								
								
									
										6
									
								
								test/e2e/manifests/secret-for-update.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								test/e2e/manifests/secret-for-update.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | |||||||
|  | apiVersion: onepassword.com/v1 | ||||||
|  | kind: OnePasswordItem | ||||||
|  | metadata: | ||||||
|  |   name: secret-for-update | ||||||
|  | spec: | ||||||
|  |   itemPath: "vaults/operator-acceptance-tests/items/secret-for-update" | ||||||
							
								
								
									
										6
									
								
								test/e2e/manifests/secret-ignored.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								test/e2e/manifests/secret-ignored.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | |||||||
|  | apiVersion: onepassword.com/v1 | ||||||
|  | kind: OnePasswordItem | ||||||
|  | metadata: | ||||||
|  |   name: secret-ignored | ||||||
|  | spec: | ||||||
|  |   itemPath: "vaults/operator-acceptance-tests/items/secret-ignored" | ||||||
							
								
								
									
										6
									
								
								test/e2e/manifests/secret.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								test/e2e/manifests/secret.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | |||||||
|  | apiVersion: onepassword.com/v1 | ||||||
|  | kind: OnePasswordItem | ||||||
|  | metadata: | ||||||
|  |   name: login | ||||||
|  | spec: | ||||||
|  |   itemPath: "vaults/operator-acceptance-tests/items/test-login" | ||||||
| @@ -2,5 +2,5 @@ package version | |||||||
|  |  | ||||||
| var ( | var ( | ||||||
| 	OperatorVersion    = "1.9.1" | 	OperatorVersion    = "1.9.1" | ||||||
| 	OperatorSDKVersion = "1.34.1" | 	OperatorSDKVersion = "1.41.1" | ||||||
| ) | ) | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user