diff --git a/Makefile b/Makefile index 4cd109c0b..bfd0ab734 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ GO_FLAGS = KUBECFG = kubecfg DOCKER = docker GINKGO = ginkgo -p -CONTROLLER_GEN ?= controller-gen +CONTROLLER_GEN ?= go run sigs.k8s.io/controller-tools/cmd/controller-gen@latest REGISTRY ?= docker.io CONTROLLER_IMAGE = $(REGISTRY)/bitnami/sealed-secrets-controller:latest @@ -45,8 +45,10 @@ GO_LD_FLAGS = -X main.VERSION=$(VERSION) all: controller kubeseal -generate: $(GO_FILES) - $(GO) generate $(GO_PACKAGES) +generate: + $(GO) mod vendor + ./hack/update-codegen.sh + rm -rf vendor manifests: $(CONTROLLER_GEN) crd:generateEmbeddedObjectMeta=true paths="./pkg/apis/..." output:stdout | tail -n +2 > helm/sealed-secrets/crds/bitnami.com_sealedsecrets.yaml @@ -128,7 +130,7 @@ lint: $(GOLANGCILINT) run --enable goimports --timeout=5m lint-gosec: - $(GOSEC) -r --severity low + $(GOSEC) -r -severity low -exclude-generated clean: $(RM) ./controller ./kubeseal diff --git a/pkg/apis/sealedsecrets/v1alpha1/boilerplate.go.txt b/hack/boilerplate.go.txt similarity index 100% rename from pkg/apis/sealedsecrets/v1alpha1/boilerplate.go.txt rename to hack/boilerplate.go.txt diff --git a/tools.go b/hack/tools.go similarity index 92% rename from tools.go rename to hack/tools.go index 17c83ed4f..6b129c5d5 100644 --- a/tools.go +++ b/hack/tools.go @@ -5,7 +5,7 @@ //go:build tools // +build tools -package sealedsecrets +package tools import ( _ "k8s.io/code-generator" diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh new file mode 100755 index 000000000..e569f924d --- /dev/null +++ b/hack/update-codegen.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail + +SCRIPT_ROOT=$(dirname "${BASH_SOURCE[0]}")/.. +CODEGEN_PKG=${CODEGEN_PKG:-$(cd "${SCRIPT_ROOT}"; ls -d -1 ./vendor/k8s.io/code-generator 2>/dev/null || echo ../code-generator)} + +source "${CODEGEN_PKG}/kube_codegen.sh" + +THIS_PKG="github.com/bitnami-labs/sealed-secrets" + +kube::codegen::gen_helpers \ + --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \ + "${SCRIPT_ROOT}/pkg/apis" + +kube::codegen::gen_client \ + --with-watch \ + --output-dir "${SCRIPT_ROOT}/pkg/client" \ + --output-pkg "${THIS_PKG}/pkg/client" \ + --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \ + "${SCRIPT_ROOT}/pkg/apis" diff --git a/helm/sealed-secrets/crds/bitnami.com_sealedsecrets.yaml b/helm/sealed-secrets/crds/bitnami.com_sealedsecrets.yaml index 44b6cf4f6..a41921e47 100644 --- a/helm/sealed-secrets/crds/bitnami.com_sealedsecrets.yaml +++ b/helm/sealed-secrets/crds/bitnami.com_sealedsecrets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: sealedsecrets.bitnami.com spec: group: bitnami.com @@ -26,24 +26,30 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: SealedSecret is the K8s representation of a "sealed Secret" - - a regular k8s Secret that has been sealed (encrypted) using the controller's - key. + description: |- + SealedSecret is the K8s representation of a "sealed Secret" - a + regular k8s Secret that has been sealed (encrypted) using the + controller's key. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: SealedSecretSpec is the specification of a SealedSecret + description: SealedSecretSpec is the specification of a SealedSecret. properties: data: description: Data is deprecated and will be removed eventually. Use @@ -56,17 +62,27 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true template: - description: Template defines the structure of the Secret that will - be created from this sealed secret. + description: |- + Template defines the structure of the Secret that will be + created from this sealed secret. properties: data: additionalProperties: type: string - description: Keys that should be templated using decrypted data + description: Keys that should be templated using decrypted data. nullable: true type: object + immutable: + description: |- + Immutable, if set to true, ensures that data stored in the Secret cannot + be updated (only object metadata can be modified). + If not set to true, the field can be modified at any time. + Defaulted to nil. + type: boolean metadata: - description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + description: |- + Standard object's metadata. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata nullable: true properties: annotations: @@ -91,10 +107,6 @@ spec: description: Used to facilitate programmatic handling of secret data. type: string - immutable: - description: 'Immutable, if set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified). - If not set to true, the field can be modified at any time. Defaulted to nil.' - type: boolean type: object required: - encryptedData @@ -127,12 +139,14 @@ spec: description: The reason for the condition's last transition. type: string status: - description: 'Status of the condition for a sealed secret. Valid - values for "Synced": "True", "False", or "Unknown".' + description: |- + Status of the condition for a sealed secret. + Valid values for "Synced": "True", "False", or "Unknown". type: string type: - description: 'Type of condition for a sealed secret. Valid value: - "Synced"' + description: |- + Type of condition for a sealed secret. + Valid value: "Synced" type: string required: - status diff --git a/pkg/apis/sealedsecrets/v1alpha1/doc.go b/pkg/apis/sealedsecrets/v1alpha1/doc.go index b595aaa79..822fbcec7 100644 --- a/pkg/apis/sealedsecrets/v1alpha1/doc.go +++ b/pkg/apis/sealedsecrets/v1alpha1/doc.go @@ -1,5 +1,3 @@ -// go mod vendor doesn't preserve executable perm bits -//go:generate bash -c "go mod download && cd ../../../.. && bash $(go list -mod=mod -m -f '{{.Dir}}' k8s.io/code-generator)/generate-groups.sh deepcopy,client,informer,lister github.com/bitnami-labs/sealed-secrets/pkg/client github.com/bitnami-labs/sealed-secrets/pkg/apis sealedsecrets:v1alpha1 --go-header-file pkg/apis/sealedsecrets/v1alpha1/boilerplate.go.txt --trim-path-prefix github.com/bitnami-labs/sealed-secrets" // +k8s:deepcopy-gen=package,register // +groupName=bitnami.com diff --git a/pkg/apis/sealedsecrets/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/sealedsecrets/v1alpha1/zz_generated.deepcopy.go index 5aa665d42..49c46ac34 100644 --- a/pkg/apis/sealedsecrets/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/sealedsecrets/v1alpha1/zz_generated.deepcopy.go @@ -192,6 +192,11 @@ func (in *SealedSecretStatus) DeepCopy() *SealedSecretStatus { func (in *SecretTemplateSpec) DeepCopyInto(out *SecretTemplateSpec) { *out = *in in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + if in.Immutable != nil { + in, out := &in.Immutable, &out.Immutable + *out = new(bool) + **out = **in + } if in.Data != nil { in, out := &in.Data, &out.Data *out = make(map[string]string, len(*in)) diff --git a/pkg/client/clientset/versioned/doc.go b/pkg/client/clientset/versioned/doc.go deleted file mode 100644 index 0e0c2a890..000000000 --- a/pkg/client/clientset/versioned/doc.go +++ /dev/null @@ -1,4 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -// This package has the automatically generated clientset. -package versioned diff --git a/pkg/client/informers/externalversions/factory.go b/pkg/client/informers/externalversions/factory.go index 36f73dc24..abeeb3e8f 100644 --- a/pkg/client/informers/externalversions/factory.go +++ b/pkg/client/informers/externalversions/factory.go @@ -26,6 +26,7 @@ type sharedInformerFactory struct { lock sync.Mutex defaultResync time.Duration customResync map[reflect.Type]time.Duration + transform cache.TransformFunc informers map[reflect.Type]cache.SharedIndexInformer // startedInformers is used for tracking which informers have been started. @@ -64,6 +65,14 @@ func WithNamespace(namespace string) SharedInformerOption { } } +// WithTransform sets a transform on all informers. +func WithTransform(transform cache.TransformFunc) SharedInformerOption { + return func(factory *sharedInformerFactory) *sharedInformerFactory { + factory.transform = transform + return factory + } +} + // NewSharedInformerFactory constructs a new instance of sharedInformerFactory for all namespaces. func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Duration) SharedInformerFactory { return NewSharedInformerFactoryWithOptions(client, defaultResync) @@ -150,7 +159,7 @@ func (f *sharedInformerFactory) WaitForCacheSync(stopCh <-chan struct{}) map[ref return res } -// InternalInformerFor returns the SharedIndexInformer for obj using an internal +// InformerFor returns the SharedIndexInformer for obj using an internal // client. func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer { f.lock.Lock() @@ -168,6 +177,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal } informer = newFunc(f.client, resyncPeriod) + informer.SetTransform(f.transform) f.informers[informerType] = informer return informer @@ -223,7 +233,7 @@ type SharedInformerFactory interface { // ForResource gives generic access to a shared informer of the matching type. ForResource(resource schema.GroupVersionResource) (GenericInformer, error) - // InternalInformerFor returns the SharedIndexInformer for obj using an internal + // InformerFor returns the SharedIndexInformer for obj using an internal // client. InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer diff --git a/schema-v1alpha1.yaml b/schema-v1alpha1.yaml index 913f30094..d18121266 100644 --- a/schema-v1alpha1.yaml +++ b/schema-v1alpha1.yaml @@ -1,16 +1,28 @@ openAPIV3Schema: - description: SealedSecret is the K8s representation of a "sealed Secret" - a regular k8s Secret that has been sealed (encrypted) using the controller's key. + description: |- + SealedSecret is the K8s representation of a "sealed Secret" - a + regular k8s Secret that has been sealed (encrypted) using the + controller's key. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: SealedSecretSpec is the specification of a SealedSecret + description: SealedSecretSpec is the specification of a SealedSecret. properties: data: description: Data is deprecated and will be removed eventually. Use per-value EncryptedData instead. @@ -22,16 +34,27 @@ openAPIV3Schema: type: object x-kubernetes-preserve-unknown-fields: true template: - description: Template defines the structure of the Secret that will be created from this sealed secret. + description: |- + Template defines the structure of the Secret that will be + created from this sealed secret. properties: data: additionalProperties: type: string - description: Keys that should be templated using decrypted data + description: Keys that should be templated using decrypted data. nullable: true type: object + immutable: + description: |- + Immutable, if set to true, ensures that data stored in the Secret cannot + be updated (only object metadata can be modified). + If not set to true, the field can be modified at any time. + Defaulted to nil. + type: boolean metadata: - description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + description: |- + Standard object's metadata. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata nullable: true properties: annotations: @@ -55,9 +78,6 @@ openAPIV3Schema: type: description: Used to facilitate programmatic handling of secret data. type: string - immutable: - description: 'Immutable, if set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.' - type: boolean type: object required: - encryptedData @@ -85,10 +105,14 @@ openAPIV3Schema: description: The reason for the condition's last transition. type: string status: - description: 'Status of the condition for a sealed secret. Valid values for "Synced": "True", "False", or "Unknown".' + description: |- + Status of the condition for a sealed secret. + Valid values for "Synced": "True", "False", or "Unknown". type: string type: - description: 'Type of condition for a sealed secret. Valid value: "Synced"' + description: |- + Type of condition for a sealed secret. + Valid value: "Synced" type: string required: - status