Skip to content

Commit 9f78496

Browse files
committed
Merge remote-tracking branch 'origin/main' into gh-3386
2 parents 0d0df30 + d443853 commit 9f78496

112 files changed

Lines changed: 3195 additions & 972 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/svcaplbot-run-dyff.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,7 @@ jobs:
7979
- name: Install npm dependencies
8080
run: cd "$GITHUB_WORKSPACE/pr" && npm install --no-save && cd "$GITHUB_WORKSPACE/base" && npm install --no-save
8181
- name: Install Helm and Helmfile
82-
uses: helmfile/helmfile-action@v2.4.5
82+
uses: helmfile/helmfile-action@v2.4.6
8383
with:
8484
helmfile-args: version # In this step, we only want these tools to be installed
8585
helm-plugins: >

apps.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -87,7 +87,7 @@ appsInfo:
8787
integration: Harbor can be enabled to provide each team with a private registry. Harbor has been made user and tenant aware. App Platform runs automated tasks that take care of creating a project in Harbor for each team, creating a bot-account for each team, and creating a Kubernetes pull secret in the team namespace to enable pulling of images out of the local registry.
8888
istio:
8989
title: Istio
90-
appVersion: 1.29.2
90+
appVersion: 1.30.2
9191
repo: https://github.com/istio/istio
9292
maintainers: Istio
9393
relatedLinks:

bin/edgedns_A_record.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ def create_dns_record(session, domain, ip):
4343
except HTTPError as e:
4444
response_json = json.loads(e.response.text)
4545
print(f"Failed to create DNS record: {response_json['title']} ")
46+
print(f"Data: {json.dumps(data, indent=2)}")
4647
sys.exit(1)
4748

4849
# Function to delete DNS record
@@ -56,6 +57,7 @@ def delete_dns_record(session, domain):
5657
except HTTPError as e:
5758
response_json = json.loads(e.response.text)
5859
print(f"Failed to delete DNS record: {response_json['title']}")
60+
print(f"Data: {json.dumps({'name': domain}, indent=2)}")
5961
sys.exit(1)
6062

6163
# Function to list A records

chart/chart-index/Chart.yaml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ dependencies:
3232
version: 1.21.1
3333
repository: https://kubernetes-sigs.github.io/external-dns
3434
- name: external-secrets
35-
version: 2.6.0
35+
version: 2.7.0
3636
repository: https://charts.external-secrets.io
3737
- name: gitea
3838
version: 12.6.0
@@ -42,21 +42,21 @@ dependencies:
4242
repository: https://helm.goharbor.io
4343
- name: base
4444
alias: istio-base
45-
version: 1.29.2
45+
version: 1.30.2
4646
repository: https://istio-release.storage.googleapis.com/charts
4747
- name: cni
4848
alias: istio-cni
49-
version: 1.29.2
49+
version: 1.30.2
5050
repository: https://istio-release.storage.googleapis.com/charts
5151
- name: gateway
5252
alias: istio-gateway
53-
version: 1.29.2
53+
version: 1.30.2
5454
repository: https://istio-release.storage.googleapis.com/charts
5555
- name: istiod
56-
version: 1.29.2
56+
version: 1.30.2
5757
repository: https://istio-release.storage.googleapis.com/charts
5858
- name: ztunnel
59-
version: 1.29.2
59+
version: 1.30.2
6060
repository: https://istio-release.storage.googleapis.com/charts
6161
- name: keycloakx
6262
alias: keycloak

charts/external-secrets/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
apiVersion: v2
2-
appVersion: v2.6.0
2+
appVersion: v2.7.0
33
dependencies:
44
- condition: bitwarden-sdk-server.enabled
55
name: bitwarden-sdk-server
@@ -17,4 +17,4 @@ maintainers:
1717
name: mcavoyk
1818
name: external-secrets
1919
type: application
20-
version: 2.6.0
20+
version: 2.7.0

charts/external-secrets/README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44

55
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
66

7-
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.6.0](https://img.shields.io/badge/Version-2.6.0-informational?style=flat-square)
7+
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.7.0](https://img.shields.io/badge/Version-2.7.0-informational?style=flat-square)
88

99
External secrets management for Kubernetes
1010

@@ -243,6 +243,7 @@ The command removes all the Kubernetes components associated with the chart and
243243
| serviceMonitor.relabelings | list | `[]` | Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) |
244244
| serviceMonitor.renderMode | string | `"skipIfMissing"` | How should we react to missing CRD "`monitoring.coreos.com/v1/ServiceMonitor`" Possible values: - `skipIfMissing`: Only render ServiceMonitor resources if CRD is present, skip if missing. - `failIfMissing`: Fail Helm install if CRD is not present. - `alwaysRender` : Always render ServiceMonitor resources, do not check for CRD. @schema enum: - skipIfMissing - failIfMissing - alwaysRender @schema |
245245
| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
246+
| storeRequeueInterval | string | `""` | Default time duration between reconciling (Cluster)SecretStores. |
246247
| strategy | object | `{}` | Set deployment strategy |
247248
| systemAuthDelegator | bool | `false` | If true the system:auth-delegator ClusterRole will be added to RBAC |
248249
| tolerations | list | `[]` | |
Lines changed: 214 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,214 @@
1+
---
2+
# Source: external-secrets/templates/crds/beyondtrustworkloadcredentialsdynamicsecret.yaml
3+
apiVersion: apiextensions.k8s.io/v1
4+
kind: CustomResourceDefinition
5+
metadata:
6+
annotations:
7+
controller-gen.kubebuilder.io/version: v0.19.0
8+
labels:
9+
external-secrets.io/component: controller
10+
name: beyondtrustworkloadcredentialsdynamicsecrets.generators.external-secrets.io
11+
spec:
12+
group: generators.external-secrets.io
13+
names:
14+
categories:
15+
- external-secrets
16+
- external-secrets-generators
17+
kind: BeyondtrustWorkloadCredentialsDynamicSecret
18+
listKind: BeyondtrustWorkloadCredentialsDynamicSecretList
19+
plural: beyondtrustworkloadcredentialsdynamicsecrets
20+
singular: beyondtrustworkloadcredentialsdynamicsecret
21+
scope: Namespaced
22+
versions:
23+
- name: v1alpha1
24+
schema:
25+
openAPIV3Schema:
26+
description: |-
27+
BeyondtrustWorkloadCredentialsDynamicSecret represents a generator that requests dynamic credentials from BeyondTrust Workload Credentials.
28+
This generator calls the BeyondTrust Workload Credentials API to generate fresh, temporary credentials
29+
(such as AWS STS credentials) each time an ExternalSecret is refreshed.
30+
Dynamic secret definitions must be created in BeyondTrust Workload Credentials before they can be referenced.
31+
For complete documentation, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
32+
properties:
33+
apiVersion:
34+
description: |-
35+
APIVersion defines the versioned schema of this representation of an object.
36+
Servers should convert recognized schemas to the latest internal value, and
37+
may reject unrecognized values.
38+
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
39+
type: string
40+
kind:
41+
description: |-
42+
Kind is a string value representing the REST resource this object represents.
43+
Servers may infer this from the endpoint the client submits requests to.
44+
Cannot be updated.
45+
In CamelCase.
46+
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
47+
type: string
48+
metadata:
49+
type: object
50+
spec:
51+
description: |-
52+
BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
53+
This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
54+
For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
55+
properties:
56+
controller:
57+
description: |-
58+
Controller selects the controller that should handle this generator.
59+
Leave empty to use the default controller.
60+
type: string
61+
provider:
62+
description: |-
63+
Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
64+
server connection details, and the folder path to the dynamic secret definition.
65+
The folderPath should point to a dynamic secret definition that has been created in
66+
BeyondTrust Workload Credentials (e.g., "production/aws-temp").
67+
For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
68+
properties:
69+
auth:
70+
description: |-
71+
Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
72+
Currently supports API key authentication via Kubernetes secret reference.
73+
For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
74+
properties:
75+
apikey:
76+
description: |-
77+
APIKey configures API token authentication for BeyondTrust Workload Credentials.
78+
The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
79+
properties:
80+
token:
81+
description: |-
82+
Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
83+
The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
84+
Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
85+
For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
86+
properties:
87+
key:
88+
description: |-
89+
A key in the referenced Secret.
90+
Some instances of this field may be defaulted, in others it may be required.
91+
maxLength: 253
92+
minLength: 1
93+
pattern: ^[-._a-zA-Z0-9]+$
94+
type: string
95+
name:
96+
description: The name of the Secret resource being referred to.
97+
maxLength: 253
98+
minLength: 1
99+
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
100+
type: string
101+
namespace:
102+
description: |-
103+
The namespace of the Secret resource being referred to.
104+
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
105+
maxLength: 63
106+
minLength: 1
107+
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
108+
type: string
109+
type: object
110+
required:
111+
- token
112+
type: object
113+
required:
114+
- apikey
115+
type: object
116+
caBundle:
117+
description: |-
118+
CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
119+
Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
120+
If not set, the system's trusted root certificates are used.
121+
format: byte
122+
type: string
123+
caProvider:
124+
description: |-
125+
CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
126+
This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
127+
Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
128+
properties:
129+
key:
130+
description: The key where the CA certificate can be found in the Secret or ConfigMap.
131+
maxLength: 253
132+
minLength: 1
133+
pattern: ^[-._a-zA-Z0-9]+$
134+
type: string
135+
name:
136+
description: The name of the object located at the provider type.
137+
maxLength: 253
138+
minLength: 1
139+
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
140+
type: string
141+
namespace:
142+
description: |-
143+
The namespace the Provider type is in.
144+
Can only be defined when used in a ClusterSecretStore.
145+
maxLength: 63
146+
minLength: 1
147+
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
148+
type: string
149+
type:
150+
description: The type of provider to use such as "Secret", or "ConfigMap".
151+
enum:
152+
- Secret
153+
- ConfigMap
154+
type: string
155+
required:
156+
- name
157+
- type
158+
type: object
159+
folderPath:
160+
description: |-
161+
FolderPath specifies the default folder path for secret retrieval.
162+
Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
163+
Example: "production/database" or "dev/api-keys"
164+
Leave empty to retrieve secrets from the root folder.
165+
For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
166+
type: string
167+
server:
168+
description: |-
169+
Server configures the BeyondTrust Workload Credentials server connection details.
170+
Includes the API URL and Site ID for your BeyondTrust instance.
171+
For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
172+
properties:
173+
apiUrl:
174+
description: |-
175+
APIURL is the base URL of your BeyondTrust Workload Credentials API server.
176+
This should be the full URL to your BeyondTrust instance.
177+
Example: https://api.beyondtrust.io/siie
178+
For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
179+
type: string
180+
siteId:
181+
description: |-
182+
SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
183+
This identifier is unique to your BeyondTrust Workload Credentials instance.
184+
You can find your Site ID in the BeyondTrust Workload Credentials admin console.
185+
Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
186+
For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
187+
type: string
188+
required:
189+
- apiUrl
190+
- siteId
191+
type: object
192+
required:
193+
- auth
194+
- server
195+
type: object
196+
retrySettings:
197+
description: |-
198+
RetrySettings configures exponential backoff for failed API requests.
199+
If not specified, uses the default retry settings.
200+
properties:
201+
maxRetries:
202+
format: int32
203+
type: integer
204+
retryInterval:
205+
type: string
206+
type: object
207+
required:
208+
- provider
209+
type: object
210+
type: object
211+
served: true
212+
storage: true
213+
subresources:
214+
status: {}

0 commit comments

Comments
 (0)