0.0.3 merge

README.md

@@ -30,39 +30,64 @@ kubectl apply -f https://raw.githubusercontent.com/btungut/azure-keyvault-secret
 
 
 ## What is AzureKeyVault custom resource definition ?
-**AzureKeyVault** is a custom resource definition which is being tracked by operator. It is cluster scoped and includes references for Azure KeyVault, service principal and to be synced secrets accross kubernetes cluster.
+**AzureKeyVault** is a cluster scoped custom object which is being tracked by operator.
+Only prerequisite you need to complete is having a kubernetes secret which includes Service Principal (id, secret, tenantid) in any namespace.
+
+In a AzureKeyVault object, you need to define followings;
+| 1st Level Field           | Description                                                                                   |
+|---------------------------|-----------------------------------------------------------------------------------------------|
+| `.spec.syncVersion`    | Version value for providing consistency. You can increment manually if you'd like to sync all of the secrets again. (Optional, default : 1)                                     |
+| `.spec.azureKeyVaultRef`    | Reference of Azure KeyVault which includes secret objects                                     |
+| `.spec.servicePrincipalRef` | Reference of a kubernetes secret object which includes fields of authorized Service Principal |
+| `.spec.managedSecrets`      | List of kubernetes secrets which is being created and filled by operator as your needs.       |
+
+
+### Namespaces field supports regex
+You can define the secrets which you'd like to be created in `.spec.managedSecrets`. If you'd like to create a secret accross more than one namespaces, you can use regex pattern in `.spec.managedSecrets[].namespaces[]'` field as your needs.
+
+### Data field supports Go Template
+Also, `.spec.managedSecrets[].data` field supports **go template** for values. You can put more than one Azure KeyVault Secret data in a field.
+
+Below example demonstrates both of the features.
 
 ```
 apiVersion: btungut.io/v1
 kind: AzureKeyVault
 metadata:
   name: contoso
 spec:
-  name: my-azure-keyvault-name
-  resourceGroup: my-azure-resourcegroup
   syncVersion: 1
-  servicePrincipal:
+  azureKeyVaultRef:
+    name: my-azure-keyvault-name
+    resourceGroup: my-azure-resourcegroup
+  servicePrincipalRef:
     secretName: "my-secret-includes-serviceprincipal"
     secretNamespace: "my-infra-namespace"
     tenantIdField: "tenantid"
     clientIdField: "clientid"
     clientSecretField: "clientsecret"
-  objects:
-    - name: catalog-db-connectionstring
-      type: secret
-      copyTo:
-        - namespace: services-preprod
-          secretName: CatalogDB
-        - namespace: services-staging
-          secretName: CatalogDB
-    - name: catalog-rabbitmq-connectionstring
-      type: secret
-      copyTo:
-        - namespace: services-preprod
-          secretName: RabbitMQ
+  managedSecrets:
+
+    - name: catalog-api-credentials
+      namespaces:
+        - "dev-(.+)"                #namespaces which starts with 'dev-'
+        - "hardcodednamespace"      #specific namespace
+      type: Opaque
+      data:
+        mssql: "{{ .nameOfAzureKeyVaultSecret }}"
+        amqp: "{{ .amqp }};port=15672;TLS=enabled"
+        hardcodedfield: "hard coded value"
+      labels:
+        somelabelkey: "it is possible to adding labels"
+
+    - name: docker-pull-secret
+      namespaces:
+        - "(.+)"                    #match all namespaces
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: "{{ .acr-credentials-json }}"
 ```
 
-`spec.name` and `spec.resourceGroup` needs to point your Azure KeyVault resource.
 
 As we mentioned before, you need to have a service principal that is used to access Azure KeyVault. You need to create a secret **manually** which includes service principal informations. You're completely free for naming of the fields. 
 
@@ -79,59 +104,38 @@ data:
   clientsecret: //BASE64 encoded password
   tenantid: //BASE64 encoded GUID
 ```
-E.g. : Value of `spec.servicePrincipal.clientSecretField` in AzureKeyVault is pointing the field name of secret. 
-
-## Supported Secret Types
-Operator currently supports following types;
-- Opaque
-- kubernetes.io/dockerconfigjson
-
-You can define a secret type with `spec.objects[].copyTo[].secretType` field which is optional and default value is Opaque if it is not explictly defined.
-
-
-```
-apiVersion: btungut.io/v1
-kind: AzureKeyVault
-metadata:
-  name: contoso
-spec:
-  ...
-  ...
-  objects:
-    ...
-    - name: docker-registry-credentials
-      type: secret
-      copyTo:
-        - namespace: services-preprod
-          secretName: registry-credentials
-          secretType: "kubernetes.io/dockerconfigjson"
-```
+E.g. : Value of `spec.servicePrincipalRef.clientSecretField` in AzureKeyVault object is pointing the data field in service principal secret.
 
 ## Configuration
-You can change the configurable values in [values.yaml](https://github.com/btungut/azure-keyvault-secret-operator/blob/master/helm/values.yaml) of helm chart
+You can change or override the configuration values in [values.yaml](https://github.com/btungut/azure-keyvault-secret-operator/blob/master/helm/values.yaml) of helm chart
 
 ```
 ...
 configs:
-  LogLevel: "Information"
-  EnableJsonLogging: "false"
-  ReconciliationFrequency: "00:00:30"
+  logLevel: "Information"
+  enableJsonLogging: "false"
+  reconciliationFrequency: "00:00:30"
 ...
 ```
 
+an example which enables json logging and changing log level;
+```
+helm upgrade -i {RELEASE-NAME} btungut/azure-keyvault-secret-operator --set configs.logLevel="Debug" --set configs.enableJsonLogging="true"
+```
+
 these are defined in [deployment.yaml](https://github.com/btungut/azure-keyvault-secret-operator/blob/master/manifests/03-deployment.yaml) if you're not using helm chart
 
 ```
         env:
-          - name: LogLevel
+          - name: logLevel
             value: "Information"
-          - name: EnableJsonLogging
+          - name: enableJsonLogging
             value: "false"
-          - name: ReconciliationFrequency
+          - name: reconciliationFrequency
             value: "00:00:30"
 ```
 
-- `LogLevel` might be any of Verbose, Debug, Information, Warning, Error, Fatal
-- `EnableJsonLogging` is boolean as string, you can enable it by passing "true" to structured logs.
-- `ReconciliationFrequency` couldn't be less than 10 seconds. More information about reconciliation process will be here soon.
+- `logLevel` might be any of Verbose, Debug, Information, Warning, Error, Fatal
+- `enableJsonLogging` is boolean as string, you can enable it by passing "true" to structured logs.
+- `reconciliationFrequency` couldn't be less than 10 seconds. More information about reconciliation process will be here soon.
 

helm/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: azure-keyvault-secret-operator
 description: Kubernetes operator which enables your cluster to sync secrets with Azure KeyVault in easiest way.
 type: application
-version: 0.0.1
-appVersion: "0.0.1"
+version: 0.0.3
+appVersion: "0.0.3"
 sources:
   - https://github.com/btungut/azure-keyvault-secret-operator
 home: https://github.com/btungut/azure-keyvault-secret-operator

helm/templates/crd.yaml

@@ -25,20 +25,25 @@ spec:
           properties:
             spec:
               type: object
-              required: ["name", "resourceGroup", "servicePrincipal", "objects"]
+              required: ["azureKeyVaultRef", "servicePrincipalRef", "managedSecrets"]
               properties:
-                name:
-                  type: string
-                  description: "Azure KeyVault resource name"
-                resourceGroup:
-                  type: string
-                  description: "Resource group which includes Azure KeyVault"
                 syncVersion:
                   type: integer
                   description: "Optional version value which is being tracked by operator to identify that whether secrets need to be updated or not"
                   minimum: 1
                   default: 1
-                servicePrincipal:
+                azureKeyVaultRef:
+                  type: object
+                  description: "Reference of Azure KeyVault resource"
+                  required: ["name", "resourceGroup"]
+                  properties:
+                    name:
+                      type: string
+                      description: "Azure KeyVault resource name"
+                    resourceGroup:
+                      type: string
+                      description: "Resource group which includes Azure KeyVault"
+                servicePrincipalRef:
                   type: object
                   description: "Authorized service principal which is used against Azure APIs"
                   required: ["secretName", "secretNamespace","tenantIdField", "clientIdField", "clientSecretField"]
@@ -58,46 +63,46 @@ spec:
                     clientSecretField:
                       type: string
                       description: "The data/field name that correspond to Client Secret (password) of service principal"
-                objects:
+
+                managedSecrets:
                   type: array
-                  description: "List of Azure KeyVault contents and Kubernetes secrets which needs to be synced"
+                  description:  "List of the secrets which is created and managed secrets by operator"
                   items:
                     type: object
-                    required: ["name", "type", "copyTo"]
+                    required: ["name", "namespaces", "data"]
                     properties:
                       name:
                         type: string
-                        description: "Name of Azure KeyVault content"
-                      type:
-                        type: string
-                        description: "Type of Azure KeyVault content (secret,certificate or key)"
-                        pattern: "(^secret$)|(^certificate$)|(^key$)"
-                      copyTo:
+                        description: "Name of the secret which is created"
+                      namespaces:
                         type: array
-                        description: "List of kubernetes secrets which is created with referenced Azure KeyVault contents"
+                        description: "Namespaces regex pattern list of the secret which is created in"
                         items:
-                          type: object
-                          required: ["namespace", "secretName"]
-                          properties:
-                            namespace:
-                              type: string
-                              description: "Namespace of to be created secret"
-                            secretName:
-                              type: string
-                              description: "Name of to be created secret"
-                            secretType:
-                              type: string
-                              description: "Type of to be created secret (default : Opaque)"
-                              pattern: "(^[Oo]paque$)|(^kubernetes.io/(service-account-token|dockercfg|dockerconfigjson|basic-auth|ssh-auth|tls)$)|(^bootstrap.kubernetes.io/token$)"
-                              default: "Opaque"
+                          type: string
+                          minimum: 1
+                      type:
+                        type: string
+                        description: "Type of to secret (default : Opaque)"
+                        pattern: "(^[Oo]paque$)|(^kubernetes.io/(service-account-token|dockercfg|dockerconfigjson|basic-auth|ssh-auth|tls)$)|(^bootstrap.kubernetes.io/token$)"
+                        default: "Opaque"
+                      data:
+                        type: object
+                        minimum: 1
+                        additionalProperties:
+                          type: string
+                      labels:
+                        type: object
+                        additionalProperties:
+                          type: string
+
       additionalPrinterColumns:
         - name: "syncVersion"
           jsonPath: .spec.syncVersion
           type: integer
         - name: "serviceprincipal-secret-namespace"
-          jsonPath: .spec.servicePrincipal.secretNamespace
+          jsonPath: .spec.servicePrincipalRef.secretNamespace
           type: string
         - name: "serviceprincipal-secret-name"
-          jsonPath: .spec.servicePrincipal.secretName
+          jsonPath: .spec.servicePrincipalRef.secretName
           type: string
 

helm/templates/deployment.yaml

@@ -28,12 +28,12 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: IfNotPresent
           env:
-            - name: LogLevel
-              value: {{ .Values.configs.LogLevel | quote }}
-            - name: EnableJsonLogging
-              value: {{ .Values.configs.EnableJsonLogging | quote }}
-            - name: ReconciliationFrequency
-              value: {{ .Values.configs.ReconciliationFrequency | quote }}
+            - name: logLevel
+              value: {{ .Values.configs.logLevel | quote }}
+            - name: enableJsonLogging
+              value: {{ .Values.configs.enableJsonLogging | quote }}
+            - name: reconciliationFrequency
+              value: {{ .Values.configs.reconciliationFrequency | quote }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

helm/values.yaml

@@ -3,12 +3,15 @@ fullnameOverride: ""
 
 image:
   repository: btungut/azure-keyvault-secret-operator
-  tag: 0.0.1
+  tag: 0.0.3
 
 configs:
-  LogLevel: "Information"             # valid values: Verbose, Debug, Information, Warning, Error, Fatal (default : Information)
-  EnableJsonLogging: "false"          # valid values: true, false as string
-  ReconciliationFrequency: "00:00:30" # timespan hh:mm:ss
+  # valid values: Verbose, Debug, Information, Warning, Error, Fatal (default : Information)
+  logLevel: "Information"
+  # valid values: true, false as string
+  enableJsonLogging: "false"
+  # timespan hh:mm:ss
+  reconciliationFrequency: "00:00:30"
 
 rbac:
   enabled: true