diff --git a/operators/ack-secretsmanager-controller/1.0.1/bundle.Dockerfile b/operators/ack-secretsmanager-controller/1.0.1/bundle.Dockerfile new file mode 100644 index 00000000000..a5eda11ad56 --- /dev/null +++ b/operators/ack-secretsmanager-controller/1.0.1/bundle.Dockerfile @@ -0,0 +1,21 @@ +FROM scratch + +# Core bundle labels. +LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 +LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ +LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ +LABEL operators.operatorframework.io.bundle.package.v1=ack-secretsmanager-controller +LABEL operators.operatorframework.io.bundle.channels.v1=alpha +LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.28.0 +LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 +LABEL operators.operatorframework.io.metrics.project_layout=unknown + +# Labels for testing. +LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 +LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ + +# Copy files to locations specified by labels. +COPY bundle/manifests /manifests/ +COPY bundle/metadata /metadata/ +COPY bundle/tests/scorecard /tests/scorecard/ diff --git a/operators/ack-secretsmanager-controller/1.0.1/manifests/ack-secretsmanager-controller.clusterserviceversion.yaml b/operators/ack-secretsmanager-controller/1.0.1/manifests/ack-secretsmanager-controller.clusterserviceversion.yaml new file mode 100644 index 00000000000..c966dc3f9da --- /dev/null +++ b/operators/ack-secretsmanager-controller/1.0.1/manifests/ack-secretsmanager-controller.clusterserviceversion.yaml @@ -0,0 +1,266 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "secretsmanager.services.k8s.aws/v1alpha1", + "kind": "Secret", + "metadata": { + "name": "example" + }, + "spec": {} + } + ] + capabilities: Basic Install + categories: Cloud Provider + certified: "false" + containerImage: public.ecr.aws/aws-controllers-k8s/secretsmanager-controller:1.0.1 + createdAt: "2025-01-14T21:47:23Z" + description: AWS Secrets Manager controller is a service controller for managing + Secrets Manager resources in Kubernetes + operatorframework.io/suggested-namespace: ack-system + operators.operatorframework.io/builder: operator-sdk-v1.28.0 + operators.operatorframework.io/project_layout: unknown + repository: https://github.com/aws-controllers-k8s + support: Community + labels: + operatorframework.io/arch.amd64: supported + operatorframework.io/arch.arm64: supported + operatorframework.io/os.linux: supported + name: ack-secretsmanager-controller.v1.0.1 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: Secret represents the state of an AWS secretsmanager Secret resource. + displayName: Secret + kind: Secret + name: secrets.secretsmanager.services.k8s.aws + version: v1alpha1 + description: |- + Manage Amazon Secrets Manager resources in AWS from within your Kubernetes cluster. + + **About Amazon Secrets Manager** + + AWS Secrets Manager helps you manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets throughout their lifecycles. [Many AWS services that use secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating.html) store them in Secrets Manager. + + Secrets Manager helps you improve your security posture, because you no longer need hard-coded credentials in application source code. Storing the credentials in Secrets Manager helps avoid possible compromise by anyone who can inspect your application or the components. You replace hard-coded credentials with a runtime call to the Secrets Manager service to retrieve credentials dynamically when you need them. + + **About the AWS Controllers for Kubernetes** + + This controller is a component of the [AWS Controller for Kubernetes](https://github.com/aws/aws-controllers-k8s) project. This project is currently in **developer preview**. + + **Pre-Installation Steps** + + Please follow the following link: [Red Hat OpenShift](https://aws-controllers-k8s.github.io/community/docs/user-docs/openshift/) + displayName: AWS Controllers for Kubernetes - Amazon Secrets Manager + icon: + - base64data: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDE5LjAuMSwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IkxheWVyXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IiB2aWV3Qm94PSIwIDAgMzA0IDE4MiIgc3R5bGU9ImVuYWJsZS1iYWNrZ3JvdW5kOm5ldyAwIDAgMzA0IDE4MjsiIHhtbDpzcGFjZT0icHJlc2VydmUiPgo8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgoJLnN0MHtmaWxsOiMyNTJGM0U7fQoJLnN0MXtmaWxsLXJ1bGU6ZXZlbm9kZDtjbGlwLXJ1bGU6ZXZlbm9kZDtmaWxsOiNGRjk5MDA7fQo8L3N0eWxlPgo8Zz4KCTxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik04Ni40LDY2LjRjMCwzLjcsMC40LDYuNywxLjEsOC45YzAuOCwyLjIsMS44LDQuNiwzLjIsNy4yYzAuNSwwLjgsMC43LDEuNiwwLjcsMi4zYzAsMS0wLjYsMi0xLjksM2wtNi4zLDQuMiAgIGMtMC45LDAuNi0xLjgsMC45LTIuNiwwLjljLTEsMC0yLTAuNS0zLTEuNEM3Ni4yLDkwLDc1LDg4LjQsNzQsODYuOGMtMS0xLjctMi0zLjYtMy4xLTUuOWMtNy44LDkuMi0xNy42LDEzLjgtMjkuNCwxMy44ICAgYy04LjQsMC0xNS4xLTIuNC0yMC03LjJjLTQuOS00LjgtNy40LTExLjItNy40LTE5LjJjMC04LjUsMy0xNS40LDkuMS0yMC42YzYuMS01LjIsMTQuMi03LjgsMjQuNS03LjhjMy40LDAsNi45LDAuMywxMC42LDAuOCAgIGMzLjcsMC41LDcuNSwxLjMsMTEuNSwyLjJ2LTcuM2MwLTcuNi0xLjYtMTIuOS00LjctMTZjLTMuMi0zLjEtOC42LTQuNi0xNi4zLTQuNmMtMy41LDAtNy4xLDAuNC0xMC44LDEuM2MtMy43LDAuOS03LjMsMi0xMC44LDMuNCAgIGMtMS42LDAuNy0yLjgsMS4xLTMuNSwxLjNjLTAuNywwLjItMS4yLDAuMy0xLjYsMC4zYy0xLjQsMC0yLjEtMS0yLjEtMy4xdi00LjljMC0xLjYsMC4yLTIuOCwwLjctMy41YzAuNS0wLjcsMS40LTEuNCwyLjgtMi4xICAgYzMuNS0xLjgsNy43LTMuMywxMi42LTQuNWM0LjktMS4zLDEwLjEtMS45LDE1LjYtMS45YzExLjksMCwyMC42LDIuNywyNi4yLDguMWM1LjUsNS40LDguMywxMy42LDguMywyNC42VjY2LjR6IE00NS44LDgxLjYgICBjMy4zLDAsNi43LTAuNiwxMC4zLTEuOGMzLjYtMS4yLDYuOC0zLjQsOS41LTYuNGMxLjYtMS45LDIuOC00LDMuNC02LjRjMC42LTIuNCwxLTUuMywxLTguN3YtNC4yYy0yLjktMC43LTYtMS4zLTkuMi0xLjcgICBjLTMuMi0wLjQtNi4zLTAuNi05LjQtMC42Yy02LjcsMC0xMS42LDEuMy0xNC45LDRjLTMuMywyLjctNC45LDYuNS00LjksMTEuNWMwLDQuNywxLjIsOC4yLDMuNywxMC42ICAgQzM3LjcsODAuNCw0MS4yLDgxLjYsNDUuOCw4MS42eiBNMTI2LjEsOTIuNGMtMS44LDAtMy0wLjMtMy44LTFjLTAuOC0wLjYtMS41LTItMi4xLTMuOUw5Ni43LDEwLjJjLTAuNi0yLTAuOS0zLjMtMC45LTQgICBjMC0xLjYsMC44LTIuNSwyLjQtMi41aDkuOGMxLjksMCwzLjIsMC4zLDMuOSwxYzAuOCwwLjYsMS40LDIsMiwzLjlsMTYuOCw2Ni4ybDE1LjYtNjYuMmMwLjUtMiwxLjEtMy4zLDEuOS0zLjljMC44LTAuNiwyLjItMSw0LTEgICBoOGMxLjksMCwzLjIsMC4zLDQsMWMwLjgsMC42LDEuNSwyLDEuOSwzLjlsMTUuOCw2N2wxNy4zLTY3YzAuNi0yLDEuMy0zLjMsMi0zLjljMC44LTAuNiwyLjEtMSwzLjktMWg5LjNjMS42LDAsMi41LDAuOCwyLjUsMi41ICAgYzAsMC41LTAuMSwxLTAuMiwxLjZjLTAuMSwwLjYtMC4zLDEuNC0wLjcsMi41bC0yNC4xLDc3LjNjLTAuNiwyLTEuMywzLjMtMi4xLDMuOWMtMC44LDAuNi0yLjEsMS0zLjgsMWgtOC42Yy0xLjksMC0zLjItMC4zLTQtMSAgIGMtMC44LTAuNy0xLjUtMi0xLjktNEwxNTYsMjNsLTE1LjQsNjQuNGMtMC41LDItMS4xLDMuMy0xLjksNGMtMC44LDAuNy0yLjIsMS00LDFIMTI2LjF6IE0yNTQuNiw5NS4xYy01LjIsMC0xMC40LTAuNi0xNS40LTEuOCAgIGMtNS0xLjItOC45LTIuNS0xMS41LTRjLTEuNi0wLjktMi43LTEuOS0zLjEtMi44Yy0wLjQtMC45LTAuNi0xLjktMC42LTIuOHYtNS4xYzAtMi4xLDAuOC0zLjEsMi4zLTMuMWMwLjYsMCwxLjIsMC4xLDEuOCwwLjMgICBjMC42LDAuMiwxLjUsMC42LDIuNSwxYzMuNCwxLjUsNy4xLDIuNywxMSwzLjVjNCwwLjgsNy45LDEuMiwxMS45LDEuMmM2LjMsMCwxMS4yLTEuMSwxNC42LTMuM2MzLjQtMi4yLDUuMi01LjQsNS4yLTkuNSAgIGMwLTIuOC0wLjktNS4xLTIuNy03Yy0xLjgtMS45LTUuMi0zLjYtMTAuMS01LjJMMjQ2LDUyYy03LjMtMi4zLTEyLjctNS43LTE2LTEwLjJjLTMuMy00LjQtNS05LjMtNS0xNC41YzAtNC4yLDAuOS03LjksMi43LTExLjEgICBjMS44LTMuMiw0LjItNiw3LjItOC4yYzMtMi4zLDYuNC00LDEwLjQtNS4yYzQtMS4yLDguMi0xLjcsMTIuNi0xLjdjMi4yLDAsNC41LDAuMSw2LjcsMC40YzIuMywwLjMsNC40LDAuNyw2LjUsMS4xICAgYzIsMC41LDMuOSwxLDUuNywxLjZjMS44LDAuNiwzLjIsMS4yLDQuMiwxLjhjMS40LDAuOCwyLjQsMS42LDMsMi41YzAuNiwwLjgsMC45LDEuOSwwLjksMy4zdjQuN2MwLDIuMS0wLjgsMy4yLTIuMywzLjIgICBjLTAuOCwwLTIuMS0wLjQtMy44LTEuMmMtNS43LTIuNi0xMi4xLTMuOS0xOS4yLTMuOWMtNS43LDAtMTAuMiwwLjktMTMuMywyLjhjLTMuMSwxLjktNC43LDQuOC00LjcsOC45YzAsMi44LDEsNS4yLDMsNy4xICAgYzIsMS45LDUuNywzLjgsMTEsNS41bDE0LjIsNC41YzcuMiwyLjMsMTIuNCw1LjUsMTUuNSw5LjZjMy4xLDQuMSw0LjYsOC44LDQuNiwxNGMwLDQuMy0wLjksOC4yLTIuNiwxMS42ICAgYy0xLjgsMy40LTQuMiw2LjQtNy4zLDguOGMtMy4xLDIuNS02LjgsNC4zLTExLjEsNS42QzI2NC40LDk0LjQsMjU5LjcsOTUuMSwyNTQuNiw5NS4xeiIvPgoJPGc+CgkJPHBhdGggY2xhc3M9InN0MSIgZD0iTTI3My41LDE0My43Yy0zMi45LDI0LjMtODAuNywzNy4yLTEyMS44LDM3LjJjLTU3LjYsMC0xMDkuNS0yMS4zLTE0OC43LTU2LjdjLTMuMS0yLjgtMC4zLTYuNiwzLjQtNC40ICAgIGM0Mi40LDI0LjYsOTQuNywzOS41LDE0OC44LDM5LjVjMzYuNSwwLDc2LjYtNy42LDExMy41LTIzLjJDMjc0LjIsMTMzLjYsMjc4LjksMTM5LjcsMjczLjUsMTQzLjd6Ii8+CgkJPHBhdGggY2xhc3M9InN0MSIgZD0iTTI4Ny4yLDEyOC4xYy00LjItNS40LTI3LjgtMi42LTM4LjUtMS4zYy0zLjIsMC40LTMuNy0yLjQtMC44LTQuNWMxOC44LTEzLjIsNDkuNy05LjQsNTMuMy01ICAgIGMzLjYsNC41LTEsMzUuNC0xOC42LDUwLjJjLTIuNywyLjMtNS4zLDEuMS00LjEtMS45QzI4Mi41LDE1NS43LDI5MS40LDEzMy40LDI4Ny4yLDEyOC4xeiIvPgoJPC9nPgo8L2c+Cjwvc3ZnPg== + mediatype: image/svg+xml + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - secretsmanager.services.k8s.aws + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - secretsmanager.services.k8s.aws + resources: + - secrets/status + verbs: + - get + - patch + - update + - apiGroups: + - services.k8s.aws + resources: + - adoptedresources + - fieldexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - services.k8s.aws + resources: + - adoptedresources/status + - fieldexports/status + verbs: + - get + - patch + - update + serviceAccountName: ack-secretsmanager-controller + deployments: + - label: + app.kubernetes.io/name: ack-secretsmanager-controller + app.kubernetes.io/part-of: ack-system + name: ack-secretsmanager-controller + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: ack-secretsmanager-controller + strategy: {} + template: + metadata: + labels: + app.kubernetes.io/name: ack-secretsmanager-controller + spec: + containers: + - args: + - --aws-region + - $(AWS_REGION) + - --aws-endpoint-url + - $(AWS_ENDPOINT_URL) + - --enable-development-logging=$(ACK_ENABLE_DEVELOPMENT_LOGGING) + - --log-level + - $(ACK_LOG_LEVEL) + - --resource-tags + - $(ACK_RESOURCE_TAGS) + - --watch-namespace + - $(ACK_WATCH_NAMESPACE) + - --enable-leader-election=$(ENABLE_LEADER_ELECTION) + - --leader-election-namespace + - $(LEADER_ELECTION_NAMESPACE) + - --reconcile-default-max-concurrent-syncs + - $(RECONCILE_DEFAULT_MAX_CONCURRENT_SYNCS) + - --feature-gates + - $(FEATURE_GATES) + command: + - ./bin/controller + env: + - name: ACK_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - configMapRef: + name: ack-secretsmanager-user-config + optional: false + - secretRef: + name: ack-secretsmanager-user-secrets + optional: true + image: public.ecr.aws/aws-controllers-k8s/secretsmanager-controller:1.0.1 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: controller + ports: + - containerPort: 8080 + name: http + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + dnsPolicy: ClusterFirst + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: ack-secretsmanager-controller + terminationGracePeriodSeconds: 10 + permissions: + - rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: ack-secretsmanager-controller + strategy: deployment + installModes: + - supported: true + type: OwnNamespace + - supported: true + type: SingleNamespace + - supported: true + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - secretsmanager + - aws + - amazon + - ack + links: + - name: AWS Controllers for Kubernetes + url: https://github.com/aws-controllers-k8s/community + - name: Documentation + url: https://aws-controllers-k8s.github.io/community/ + - name: Amazon Secrets Manager Developer Resources + url: https://aws.amazon.com/secrets-manager/resources + maintainers: + - email: ack-maintainers@amazon.com + name: secretsmanager maintainer team + maturity: alpha + provider: + name: Amazon, Inc. + url: https://aws.amazon.com + version: 1.0.1 diff --git a/operators/ack-secretsmanager-controller/1.0.1/manifests/ack-secretsmanager-metrics-service_v1_service.yaml b/operators/ack-secretsmanager-controller/1.0.1/manifests/ack-secretsmanager-metrics-service_v1_service.yaml new file mode 100644 index 00000000000..0f65552e37a --- /dev/null +++ b/operators/ack-secretsmanager-controller/1.0.1/manifests/ack-secretsmanager-metrics-service_v1_service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + name: ack-secretsmanager-metrics-service +spec: + ports: + - name: metricsport + port: 8080 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: ack-secretsmanager-controller + type: NodePort +status: + loadBalancer: {} diff --git a/operators/ack-secretsmanager-controller/1.0.1/manifests/ack-secretsmanager-reader_rbac.authorization.k8s.io_v1_role.yaml b/operators/ack-secretsmanager-controller/1.0.1/manifests/ack-secretsmanager-reader_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 00000000000..d312b771e9f --- /dev/null +++ b/operators/ack-secretsmanager-controller/1.0.1/manifests/ack-secretsmanager-reader_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ack-secretsmanager-reader +rules: +- apiGroups: + - secretsmanager.services.k8s.aws + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/operators/ack-secretsmanager-controller/1.0.1/manifests/ack-secretsmanager-writer_rbac.authorization.k8s.io_v1_role.yaml b/operators/ack-secretsmanager-controller/1.0.1/manifests/ack-secretsmanager-writer_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 00000000000..49ad89feb1a --- /dev/null +++ b/operators/ack-secretsmanager-controller/1.0.1/manifests/ack-secretsmanager-writer_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ack-secretsmanager-writer +rules: +- apiGroups: + - secretsmanager.services.k8s.aws + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - secretsmanager.services.k8s.aws + resources: + - secrets + verbs: + - get + - patch + - update diff --git a/operators/ack-secretsmanager-controller/1.0.1/manifests/example_secretsmanager.services.k8s.aws_v1alpha1_secret.yaml b/operators/ack-secretsmanager-controller/1.0.1/manifests/example_secretsmanager.services.k8s.aws_v1alpha1_secret.yaml new file mode 100644 index 00000000000..2fd150c4f4c --- /dev/null +++ b/operators/ack-secretsmanager-controller/1.0.1/manifests/example_secretsmanager.services.k8s.aws_v1alpha1_secret.yaml @@ -0,0 +1,5 @@ +apiVersion: secretsmanager.services.k8s.aws/v1alpha1 +kind: Secret +metadata: + name: example +spec: {} diff --git a/operators/ack-secretsmanager-controller/1.0.1/manifests/secretsmanager.services.k8s.aws_secrets.yaml b/operators/ack-secretsmanager-controller/1.0.1/manifests/secretsmanager.services.k8s.aws_secrets.yaml new file mode 100644 index 00000000000..d97b66d7b51 --- /dev/null +++ b/operators/ack-secretsmanager-controller/1.0.1/manifests/secretsmanager.services.k8s.aws_secrets.yaml @@ -0,0 +1,268 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: secrets.secretsmanager.services.k8s.aws +spec: + group: secretsmanager.services.k8s.aws + names: + kind: Secret + listKind: SecretList + plural: secrets + singular: secret + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Secret is the Schema for the Secrets API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SecretSpec defines the desired state of Secret. + properties: + description: + description: The description of the secret. + type: string + forceOverwriteReplicaSecret: + description: |- + Specifies whether to overwrite a secret with the same name in the destination + Region. By default, secrets aren't overwritten. + type: boolean + kmsKeyID: + description: |- + The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt + the secret value in the secret. An alias is always prefixed by alias/, for + example alias/aws/secretsmanager. For more information, see About aliases + (https://docs.aws.amazon.com/kms/latest/developerguide/alias-about.html). + + To use a KMS key in a different account, use the key ARN or the alias ARN. + + If you don't specify this value, then Secrets Manager uses the key aws/secretsmanager. + If that key doesn't yet exist, then Secrets Manager creates it for you automatically + the first time it encrypts the secret value. + + If the secret is in a different Amazon Web Services account from the credentials + calling the API, then you can't use aws/secretsmanager to encrypt the secret, + and you must create and use a customer managed KMS key. + type: string + name: + description: |- + The name of the new secret. + + The secret name can contain ASCII letters, numbers, and the following characters: + /_+=.@- + + Do not end your secret name with a hyphen followed by six characters. If + you do so, you risk confusion and unexpected results when searching for a + secret by partial ARN. Secrets Manager automatically adds a hyphen and six + random characters after the secret name at the end of the ARN. + type: string + replicaRegions: + description: A list of Regions and KMS keys to replicate secrets. + items: + description: A custom type that specifies a Region and the KmsKeyId + for a replica secret. + properties: + kmsKeyID: + type: string + region: + type: string + type: object + type: array + secretString: + description: |- + The text data to encrypt and store in this new version of the secret. We + recommend you use a JSON structure of key/value pairs for your secret value. + + Either SecretString or SecretBinary must have a value, but not both. + + If you create a secret by using the Secrets Manager console then Secrets + Manager puts the protected secret text in only the SecretString parameter. + The Secrets Manager console stores the information as a JSON structure of + key/value pairs that a Lambda rotation function can parse. + properties: + key: + description: Key is the key within the secret + type: string + name: + description: name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: namespace defines the space within which the secret + name must be unique. + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + tags: + description: |- + A list of tags to attach to the secret. Each tag is a key and value pair + of strings in a JSON text string, for example: + + [{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}] + + Secrets Manager tag key names are case sensitive. A tag with the key "ABC" + is a different tag from one with key "abc". + + If you check tags in permissions policies as part of your security strategy, + then adding or removing a tag can change permissions. If the completion of + this operation would result in you losing your permissions for this secret, + then Secrets Manager blocks the operation and returns an Access Denied error. + For more information, see Control access to secrets using tags (https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac) + and Limit access to identities with tags that match secrets' tags (https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2). + + For information about how to format a JSON parameter for the various command + line tool environments, see Using JSON for Parameters (https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json). + If your command-line tool or SDK requires quotation marks around the parameter, + you should use single quotes to avoid confusion with the double quotes required + in the JSON text. + + For tag quotas and naming restrictions, see Service quotas for Tagging (https://docs.aws.amazon.com/general/latest/gr/arg.html#taged-reference-quotas) + in the Amazon Web Services General Reference guide. + items: + description: A structure that contains information about a tag. + properties: + key: + type: string + value: + type: string + type: object + type: array + required: + - name + type: object + status: + description: SecretStatus defines the observed state of Secret + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + id: + description: The ARN of the secret. + type: string + replicationStatus: + description: |- + A list of the replicas of this secret and their status: + + * Failed, which indicates that the replica was not created. + + * InProgress, which indicates that Secrets Manager is in the process of + creating the replica. + + * InSync, which indicates that the replica was created. + items: + description: |- + A replication object consisting of a RegionReplicationStatus object and includes + a Region, KMSKeyId, status, and status message. + properties: + kmsKeyID: + type: string + lastAccessedDate: + format: date-time + type: string + region: + type: string + status: + type: string + statusMessage: + type: string + type: object + type: array + versionID: + description: The unique identifier associated with the version of + the new secret. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-secretsmanager-controller/1.0.1/metadata/annotations.yaml b/operators/ack-secretsmanager-controller/1.0.1/metadata/annotations.yaml new file mode 100644 index 00000000000..c3d870915d0 --- /dev/null +++ b/operators/ack-secretsmanager-controller/1.0.1/metadata/annotations.yaml @@ -0,0 +1,15 @@ +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: ack-secretsmanager-controller + operators.operatorframework.io.bundle.channels.v1: alpha + operators.operatorframework.io.bundle.channel.default.v1: alpha + operators.operatorframework.io.metrics.builder: operator-sdk-v1.28.0 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: unknown + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ diff --git a/operators/ack-secretsmanager-controller/1.0.1/tests/scorecard/config.yaml b/operators/ack-secretsmanager-controller/1.0.1/tests/scorecard/config.yaml new file mode 100644 index 00000000000..382ddefd156 --- /dev/null +++ b/operators/ack-secretsmanager-controller/1.0.1/tests/scorecard/config.yaml @@ -0,0 +1,50 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {}