ContainerSolutions · riccardomc · May 29, 2019 · May 9, 2019 · May 9, 2019 · May 16, 2019
diff --git a/Makefile b/Makefile
@@ -1,10 +1,10 @@
 DOCKER_IMAGE ?= containersol/externalsecret-operator
-DOCKER_TAG ?= backend-1password
+DOCKER_TAG ?= $(shell grep -Po 'Version = "\K.*?(?=")' version/version.go)
 
 # export these if you want to use AWS secrets manager
 AWS_ACCESS_KEY_ID ?= AKIACONFIGUREME
 AWS_SECRET_ACCESS_KEY ?= Secretsecretconfigureme 
-AWS_REGION ?= eu-west-1
+AWS_DEFAULT_REGION ?= eu-west-1
 
 NAMESPACE ?= "default"
 
@@ -19,13 +19,12 @@ push:
 .PHONY: deploy
 .EXPORT_ALL_VARIABLES: deploy
 deploy:
-	envsubst < ./deploy/onepassword-namespace.yaml | kubectl apply -f -
-	envsubst < ./deploy/onepassword-configmap.yaml | kubectl apply -n ${NAMESPACE} -f -
 	kubectl apply -n $(NAMESPACE) -f ./deploy/service_account.yaml
 	kubectl apply -n $(NAMESPACE) -f ./deploy/role.yaml
 	envsubst < ./deploy/role_binding.yaml | kubectl apply -n $(NAMESPACE) -f  -
 	kubectl apply -n $(NAMESPACE) -f ./deploy/crds/externalsecret-operator_v1alpha1_externalsecret_crd.yaml
-	envsubst < deploy/operator-onepassword.yaml | kubectl apply -n $(NAMESPACE) -f -
+	envsubst < deploy/operator-config.yaml | kubectl apply -n $(NAMESPACE) -f -
+	envsubst < deploy/operator.yaml | kubectl apply -n $(NAMESPACE) -f -
 
 .PHONY: test
 test:

diff --git a/README.md b/README.md
@@ -29,9 +29,6 @@ and custom resource definitions:
 
 
 ```shell
-export AWS_ACCESS_KEY_ID=AKIACONFIGUREME
-export AWS_SECRET_ACCESS_KEY=Secretsecretconfigureme
-export AWS_REGION=eu-west-1
 make deploy
 ```
 
@@ -46,7 +43,7 @@ Given a secret defined in AWS Secrets Manager:
 and an `ExternalSecret` resource definition like this one:
 
 ```yaml
-% cat deploy/crds/externalsecret-operator_v1alpha1_externalsecret_cr.yaml
+% cat ./deploy/crds/examples/externalsecret-asm.yaml
 apiVersion: externalsecret-operator.container-solutions.com/v1alpha1
 kind: ExternalSecret
 metadata:
@@ -60,7 +57,7 @@ The operator fetches the secret from AWS Secrets Manager and injects it as a
 secret:
 
 ```shell
-% kubectl apply -f deploy/crds/externalsecret-operator_v1alpha1_externalsecret_cr.yaml
+% kubectl apply -f ./deploy/crds/examples/externalsecret-asm.yaml
 % kubectl get secret example-externalsecret -o jsonpath='{.data.example-externalsecret-key}' | base64 -d
 this string is a secret
 ```

diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -7,6 +7,8 @@ import (
 	"os"
 	"runtime"
 
+	"github.com/ContainerSolutions/externalsecret-operator/pkg/secrets"
+
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
@@ -61,6 +63,12 @@ func main() {
 
 	printVersion()
 
+	err := secrets.BackendInitFromEnv()
+	if err != nil {
+		log.Error(err, "Failed to initialize backends")
+		os.Exit(1)
+	}
+
 	namespace, err := k8sutil.GetWatchNamespace()
 	if err != nil {
 		log.Error(err, "Failed to get watch namespace")

diff --git a/deploy/crds/examples/externalsecret-asm.yaml b/deploy/crds/examples/externalsecret-asm.yaml
@@ -0,0 +1,7 @@
+apiVersion: externalsecret-operator.container-solutions.com/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: example-externalsecret-asm
+spec:
+  Key: example-externalsecret-key
+  Backend: asm-example
diff --git a/deploy/crds/examples/externalsecret-dummy.yaml b/deploy/crds/examples/externalsecret-dummy.yaml
@@ -0,0 +1,7 @@
+apiVersion: externalsecret-operator.container-solutions.com/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: example-externalsecret
+spec:
+  Key: example-externalsecret-key
+  Backend: dummy-example
diff --git a/deploy/crds/examples/externalsecret-dummy2.yaml b/deploy/crds/examples/externalsecret-dummy2.yaml
@@ -0,0 +1,7 @@
+apiVersion: externalsecret-operator.container-solutions.com/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: example-externalsecret-2
+spec:
+  Key: example-externalsecret-key
+  Backend: dummy-example
diff --git a/deploy/crds/externalsecret-operator_v1alpha1_externalsecret_cr.yaml b/deploy/crds/externalsecret-operator_v1alpha1_externalsecret_cr.yaml
@@ -4,4 +4,4 @@ metadata:
   name: example-externalsecret
 spec:
   Key: example-externalsecret
-  Backend: onepassword
+  Backend: asm-example
diff --git a/deploy/operator-aws.yaml b/deploy/operator-aws.yaml
diff --git a/deploy/operator-config.json b/deploy/operator-config.json
@@ -0,0 +1,9 @@
+{
+  "Name": "asm-example",
+  "Type": "asm",
+  "Parameters": {
+    "accessKeyID": "$AWS_ACCESS_KEY_ID",
+    "region": "$AWS_REGION",
+    "secretAccessKey": "$AWS_SECRET_ACCESS_KEY"
+  }
+}
diff --git a/deploy/operator-config.yaml b/deploy/operator-config.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: operator-config
+type: Opaque
+stringData:
+  operator-config.json: |-
+    {
+      "Name": "asm-example",
+      "Type": "asm",
+      "Parameters": {
+        "accessKeyID": "$AWS_ACCESS_KEY_ID",
+        "region": "$AWS_DEFAULT_REGION",
+        "secretAccessKey": "$AWS_SECRET_ACCESS_KEY"
+      }
+    }
diff --git a/deploy/operator.yaml b/deploy/operator.yaml
@@ -15,11 +15,10 @@ spec:
       serviceAccountName: externalsecret-operator
       containers:
         - name: externalsecret-operator
-          # Replace this with the built image name
-          image: REPLACE_IMAGE
+          image: containersol/externalsecret-operator:0.0.2
           command:
           - externalsecret-operator
-          imagePullPolicy: Always
+          imagePullPolicy: Never
           env:
             - name: WATCH_NAMESPACE
               value: ""
@@ -29,3 +28,8 @@ spec:
                   fieldPath: metadata.name
             - name: OPERATOR_NAME
               value: "externalsecret-operator"
+            - name: OPERATOR_CONFIG
+              valueFrom:
+                secretKeyRef:
+                  name: operator-config
+                  key: operator-config.json
diff --git a/pkg/apis/externalsecretoperator/v1alpha1/externalsecret_types.go b/pkg/apis/externalsecretoperator/v1alpha1/externalsecret_types.go
@@ -14,10 +14,10 @@ type ExternalSecretSpec struct {
 	// Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file
 	// Add custom validation using kubebuilder tags: https://book.kubebuilder.io/beyond_basics/generating_crd.html
 
-	// The ExternalSecretBackend to use to retrieve the secret
-	Backend string `json:"Backend"`
+	// The Backend to use to retrieve the secret
+	Backend string
 	// The Key of the secret held in the ExternalBackend
-	Key string `json:"Key"`
+	Key string
 }
 
 // ExternalSecretStatus defines the observed state of ExternalSecret
@@ -27,10 +27,10 @@ type ExternalSecretStatus struct {
 	// Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file
 	// Add custom validation using kubebuilder tags: https://book.kubebuilder.io/beyond_basics/generating_crd.html
 
-	// The ExternalSecretBackend to use to retrieve the secret
-	Backend string `json:"Backend"`
+	// The Backend to use to retrieve the secret
+	Backend string
 	// The Key of the secret held in the ExternalBackend
-	Key string `json:"Key"`
+	Key string
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

diff --git a/pkg/apis/externalsecretoperator/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/externalsecretoperator/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/apis/externalsecretoperator/v1alpha1/zz_generated.openapi.go b/pkg/apis/externalsecretoperator/v1alpha1/zz_generated.openapi.go
diff --git a/pkg/controller/externalsecret/externalsecret_controller.go b/pkg/controller/externalsecret/externalsecret_controller.go
@@ -46,9 +46,6 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 		return err
 	}
 
-	// Initialize the secret backends
-	initSecretBackends()
-
 	// Watch for changes to primary resource ExternalSecret
 	err = c.Watch(&source.Kind{Type: &externalsecretoperatorv1alpha1.ExternalSecret{}}, &handler.EnqueueRequestForObject{})
 	if err != nil {

diff --git a/pkg/controller/externalsecret/externalsecret_functions.go b/pkg/controller/externalsecret/externalsecret_functions.go
@@ -10,34 +10,12 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-func initSecretBackends() {
-	// TODO: backends should be created on the fly according to CRDs
-	asm := secrets.NewAWSSecretsManagerBackend()
-	if err := asm.Init(); err != nil {
-		log.Error(err, "Failed to initialize AWS Secrets Manager Backend")
-	}
-
-	dummy := secrets.NewDummySecretsBackend()
-	dummy.Init("-value")
-	secrets.BackendRegister("dummy", dummy)
-	log.Info("Initialized Dummy backend")
-
-	secrets.BackendRegister("asm", asm)
-	log.Info("Initialized Amazon Secret Manager backend")
-
-	onepasswordClient := secrets.OnePasswordCliClient{}
-	vault := "Personal"
-	onepassword := secrets.NewOnePasswordBackend(vault, onepasswordClient)
-	onepassword.Init()
-	secrets.BackendRegister("onepassword", onepassword)
-	log.Info("Initialized 1password backend")
-}
-
 func newSecretForCR(cr *externalsecretoperatorv1alpha1.ExternalSecret) (*corev1.Secret, error) {
-	backend, ok := secrets.Backends[cr.Spec.Backend]
+	backend, ok := secrets.BackendInstances[cr.Spec.Backend]
 	if !ok {
 		return nil, fmt.Errorf("Cannot find backend: %v", cr.Spec.Backend)
 	}
+
 	value, err := backend.Get(cr.Spec.Key)
 	secret := map[string][]byte{cr.Spec.Key: []byte(value)}
 

diff --git a/pkg/controller/externalsecret/externalsecret_functions_test.go b/pkg/controller/externalsecret/externalsecret_functions_test.go
@@ -12,9 +12,9 @@ func TestNewSecretForCR(t *testing.T) {
 	key := "key"
 	suffix := "-value"
 
-	dummy := secrets.NewDummySecretsBackend()
-	dummy.Init("-value")
-	secrets.BackendRegister("dummy", dummy)
+	secrets.BackendRegister("dummy", secrets.NewDummySecretsBackend)
+	secrets.BackendInstantiate("dummy", "dummy")
+	secrets.BackendInstances["dummy"].Init(map[string]string{"suffix": "-value"})
 
 	Convey("Given an ExternalSecret resource", t, func() {
 		externalSecret := v1alpha1.ExternalSecret{