patoarvizu · patoarvizu · Jan 12, 2023 · Jan 5, 2023 · Jan 5, 2023 · Jan 5, 2023
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -135,7 +135,7 @@ jobs:
           notary -s https://notary.docker.io -d ~/.docker/trust key import ${HOME}/kms-vault-operator-circleci.key --role kms-vault-operator-circleci
           export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$NOTARY_DELEGATION_PASSPHRASE
           OPERATOR_BUILD_ARGS="--build-arg GIT_COMMIT=$CIRCLE_SHA1 --build-arg GIT_TAG=$CIRCLE_TAG --build-arg COMMIT_TIMESTAMP=$(git log -1 --format=%at) --build-arg AUTHOR_EMAIL=$(git log -1 --format=%ae) --build-arg SIGNATURE_KEY=$(git log -1 --format=%GK)"
-          export DOCKER_CONTENT_TRUST=1
+          # export DOCKER_CONTENT_TRUST=1
           VERSION=${CIRCLE_TAG:-latest}
           docker buildx build --progress=plain --platform=linux/amd64 --load $OPERATOR_BUILD_ARGS . -t patoarvizu/kms-vault-operator:latest-amd64 -t patoarvizu/kms-vault-operator:$CIRCLE_SHA1-amd64 -t patoarvizu/kms-vault-operator:$VERSION-amd64
           docker push patoarvizu/kms-vault-operator:latest-amd64
@@ -200,7 +200,7 @@ jobs:
           notary -s https://notary.docker.io -d ~/.docker/trust key import ${HOME}/kms-vault-operator-circleci.key --role kms-vault-operator-circleci
           export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$NOTARY_DELEGATION_PASSPHRASE
           OPERATOR_BUILD_ARGS="--build-arg GIT_COMMIT=$CIRCLE_SHA1 --build-arg GIT_TAG=$CIRCLE_TAG --build-arg COMMIT_TIMESTAMP=$(git log -1 --format=%at) --build-arg AUTHOR_EMAIL=$(git log -1 --format=%ae) --build-arg SIGNATURE_KEY=$(git log -1 --format=%GK)"
-          export DOCKER_CONTENT_TRUST=1
+          # export DOCKER_CONTENT_TRUST=1
           VERSION=${CIRCLE_TAG:-latest}
           docker buildx build --progress=plain --platform=linux/arm64 --cache-to=type=local,dest=/tmp/latest-arm64-cache,mode=max --cache-from=type=local,src=/tmp/latest-arm64-cache --load $OPERATOR_BUILD_ARGS . -t patoarvizu/kms-vault-operator:latest-arm64
           docker tag patoarvizu/kms-vault-operator:latest-arm64 patoarvizu/kms-vault-operator:$CIRCLE_SHA1-arm64
@@ -272,7 +272,7 @@ jobs:
           notary -s https://notary.docker.io -d ~/.docker/trust key import ${HOME}/kms-vault-operator-circleci.key --role kms-vault-operator-circleci
           export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$NOTARY_DELEGATION_PASSPHRASE
           OPERATOR_BUILD_ARGS="--build-arg GIT_COMMIT=$CIRCLE_SHA1 --build-arg GIT_TAG=$CIRCLE_TAG --build-arg COMMIT_TIMESTAMP=$(git log -1 --format=%at) --build-arg AUTHOR_EMAIL=$(git log -1 --format=%ae) --build-arg SIGNATURE_KEY=$(git log -1 --format=%GK)"
-          export DOCKER_CONTENT_TRUST=1
+          # export DOCKER_CONTENT_TRUST=1
           VERSION=${CIRCLE_TAG:-latest}
           docker buildx build --progress=plain --platform=linux/arm/v7 --cache-to=type=local,dest=/tmp/latest-arm7-cache,mode=max --cache-from=type=local,src=/tmp/latest-arm7-cache --load $OPERATOR_BUILD_ARGS . -t patoarvizu/kms-vault-operator:latest-arm7
           docker tag patoarvizu/kms-vault-operator:latest-arm7 patoarvizu/kms-vault-operator:$CIRCLE_SHA1-arm7
@@ -309,7 +309,7 @@ jobs:
           export NOTARY_DELEGATION_PASSPHRASE=$NOTARY_ROLE_PASSPHRASE
           notary -s https://notary.docker.io -d ~/.docker/trust key import ${HOME}/kms-vault-operator-circleci.key --role kms-vault-operator-circleci
           export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$NOTARY_DELEGATION_PASSPHRASE
-          export DOCKER_CONTENT_TRUST=1
+          # export DOCKER_CONTENT_TRUST=1
           VERSION=${CIRCLE_TAG:-latest}
           docker manifest create patoarvizu/kms-vault-operator:latest --amend patoarvizu/kms-vault-operator:latest-amd64 --amend patoarvizu/kms-vault-operator:latest-arm64 patoarvizu/kms-vault-operator:latest-arm7
           docker manifest push patoarvizu/kms-vault-operator:latest

diff --git a/Makefile b/Makefile
@@ -13,8 +13,6 @@ BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
 
 # Image URL to use all building/pushing image targets
 IMG ?= patoarvizu/kms-vault-operator:latest
-# Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
-CRD_OPTIONS ?= "crd:trivialVersions=true"
 OPERATOR_BUILD_ARGS = 
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
@@ -53,7 +51,7 @@ deploy: manifests kustomize
 
 # Generate manifests e.g. CRD, RBAC etc.
 manifests: controller-gen
-	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
 # Run go fmt against code
 fmt:
@@ -87,7 +85,7 @@ ifeq (, $(shell which controller-gen))
 	CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
 	cd $$CONTROLLER_GEN_TMP_DIR ;\
 	go mod init tmp ;\
-	go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.3.0 ;\
+	go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.7.0 ;\
 	rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
 	}
 CONTROLLER_GEN=$(GOBIN)/controller-gen
@@ -128,4 +126,7 @@ testbin:
 	curl -sSLo setup_envtest.sh https://raw.githubusercontent.com/kubernetes-sigs/kubebuilder/master/scripts/setup_envtest_bins.sh 
 	chmod +x setup_envtest.sh
 	./setup_envtest.sh $(K8S_VERSION) $(ETCD_VERSION)
-	chmod 755 testbin/etcd
+	chmod 755 testbin/etcd
+
+import:
+	k3d image import patoarvizu/kms-vault-operator:latest
diff --git a/README.md b/README.md
@@ -5,39 +5,38 @@
 
 <!-- TOC -->
 
-- [KMS Vault operator](#kms-vault-operator)
-  - [Intro](#intro)
-  - [Description](#description)
-  - [Configuration](#configuration)
-    - [AWS](#aws)
-    - [Vault](#vault)
-      - [Kubernetes authentication method (`--vault-authentication-method=k8s`)](#kubernetes-authentication-method---vault-authentication-methodk8s)
-      - [Vault token authentication method (`--vault-authentication-method=token`)](#vault-token-authentication-method---vault-authentication-methodtoken)
-      - [Vault userpass authentication method (`--vault-authentication-method=userpass`)](#vault-userpass-authentication-method---vault-authentication-methoduserpass)
-      - [Vault approle authentication method (`--vault-authentication-method=approle`)](#vault-approle-authentication-method---vault-authentication-methodapprole)
-      - [Vault github authentication method (`--vault-authentication-method=github`)](#vault-github-authentication-method---vault-authentication-methodgithub)
-      - [Vault iam authentication method (`--vault-authentication-method=iam`)](#vault-iam-authentication-method---vault-authentication-methodiam)
-    - [Command-line flags](#command-line-flags)
-    - [Creating a secret](#creating-a-secret)
-    - [Partial secrets](#partial-secrets)
-    - [Empty secrets](#empty-secrets)
-    - [Validating webhook](#validating-webhook)
-      - [Auto-reloading certificate](#auto-reloading-certificate)
-    - [Monitoring](#monitoring)
-  - [For security nerds](#for-security-nerds)
-    - [Docker images are signed and published to Docker Hub's Notary server](#docker-images-are-signed-and-published-to-docker-hubs-notary-server)
-    - [Docker images are labeled with Git and GPG metadata](#docker-images-are-labeled-with-git-and-gpg-metadata)
-  - [Multi-architecture images](#multi-architecture-images)
-  - [Important notes by this project](#important-notes-by-this-project)
-    - [Kubernetes namespaces and Vault namespaces](#kubernetes-namespaces-and-vault-namespaces)
-    - [Multiple secrets writing to the same location](#multiple-secrets-writing-to-the-same-location)
-    - [No validation on target path](#no-validation-on-target-path)
-    - [Removing secrets when a `KMSVaultSecret` is deleted.](#removing-secrets-when-a-kmsvaultsecret-is-deleted)
-    - [Decryption or decoding errors are ignored (but logged)](#decryption-or-decoding-errors-are-ignored-but-logged)
-    - [Support for K/V V2 is limited (as of this version)](#support-for-kv-v2-is-limited-as-of-this-version)
-    - [Partial secrets don't validate keys](#partial-secrets-dont-validate-keys)
-    - [Partial secrets don't support finalizers (yet)](#partial-secrets-dont-support-finalizers-yet)
-  - [Help wanted!](#help-wanted)
+- [Intro](#intro)
+- [Description](#description)
+- [Configuration](#configuration)
+  - [AWS](#aws)
+  - [Vault](#vault)
+    - [Kubernetes authentication method (`--vault-authentication-method=k8s`)](#kubernetes-authentication-method---vault-authentication-methodk8s)
+    - [Vault token authentication method (`--vault-authentication-method=token`)](#vault-token-authentication-method---vault-authentication-methodtoken)
+    - [Vault userpass authentication method (`--vault-authentication-method=userpass`)](#vault-userpass-authentication-method---vault-authentication-methoduserpass)
+    - [Vault approle authentication method (`--vault-authentication-method=approle`)](#vault-approle-authentication-method---vault-authentication-methodapprole)
+    - [Vault github authentication method (`--vault-authentication-method=github`)](#vault-github-authentication-method---vault-authentication-methodgithub)
+    - [Vault iam authentication method (`--vault-authentication-method=iam`)](#vault-iam-authentication-method---vault-authentication-methodiam)
+  - [Command-line flags](#command-line-flags)
+  - [Creating a secret](#creating-a-secret)
+  - [Partial secrets](#partial-secrets)
+  - [Empty secrets](#empty-secrets)
+  - [Validating webhook](#validating-webhook)
+    - [Auto-reloading certificate](#auto-reloading-certificate)
+  - [Monitoring](#monitoring)
+- [For security nerds](#for-security-nerds)
+  - [Docker images are signed and published to Docker Hub's Notary server](#docker-images-are-signed-and-published-to-docker-hubs-notary-server)
+  - [Docker images are labeled with Git and GPG metadata](#docker-images-are-labeled-with-git-and-gpg-metadata)
+- [Multi-architecture images](#multi-architecture-images)
+- [Important notes by this project](#important-notes-by-this-project)
+  - [Kubernetes namespaces and Vault namespaces](#kubernetes-namespaces-and-vault-namespaces)
+  - [Multiple secrets writing to the same location](#multiple-secrets-writing-to-the-same-location)
+  - [No validation on target path](#no-validation-on-target-path)
+  - [Removing secrets when a `KMSVaultSecret` is deleted.](#removing-secrets-when-a-kmsvaultsecret-is-deleted)
+  - [Decryption or decoding errors are ignored (but logged)](#decryption-or-decoding-errors-are-ignored-but-logged)
+  - [Support for K/V V2 is limited (as of this version)](#support-for-kv-v2-is-limited-as-of-this-version)
+  - [Partial secrets don't validate keys](#partial-secrets-dont-validate-keys)
+  - [Partial secrets don't support finalizers (yet)](#partial-secrets-dont-support-finalizers-yet)
+- [Help wanted!](#help-wanted)
 
 <!-- /TOC -->
 
@@ -193,6 +192,8 @@ Up until version `v0.14.0`, this operator was using a version of the operator-sd
 
 ## For security nerds
 
+**NOTE:** Due to technical issues with the Notary client, starting on January 4th 2023 and until further notice new images will NOT be signed. The images will still be built for multi-architecture, and will include the Git and GPG metadata, but they won't pass Docker Content Trust validation if you have it enabled.
+
 ### Docker images are signed and published to Docker Hub's Notary server
 
 The [Notary](https://github.com/theupdateframework/notary) project is a CNCF incubating project that aims to provide trust and security to software distribution. Docker Hub runs a Notary server at https://notary.docker.io for the repositories it hosts.

diff --git a/config/crd/bases/k8s.patoarvizu.dev_kmsvaultsecrets.yaml b/config/crd/bases/k8s.patoarvizu.dev_kmsvaultsecrets.yaml
@@ -1,10 +1,10 @@
 
 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.3.0
+    controller-gen.kubebuilder.io/version: v0.7.0
   creationTimestamp: null
   name: kmsvaultsecrets.k8s.patoarvizu.dev
 spec:
@@ -17,88 +17,87 @@ spec:
     - kmsvs
     singular: kmsvaultsecret
   scope: Namespaced
-  subresources:
-    status: {}
-  validation:
-    openAPIV3Schema:
-      description: KMSVaultSecret is the Schema for the kmsvaultsecrets API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: KMSVaultSecretSpec defines the desired state of KMSVaultSecret
-          properties:
-            includeSecrets:
-              items:
-                type: string
-              type: array
-              x-kubernetes-list-type: set
-            kvSettings:
-              properties:
-                casIndex:
-                  minimum: 0
-                  type: integer
-                engineVersion:
-                  enum:
-                  - v1
-                  - v2
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: KMSVaultSecret is the Schema for the kmsvaultsecrets API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KMSVaultSecretSpec defines the desired state of KMSVaultSecret
+            properties:
+              includeSecrets:
+                items:
                   type: string
-              required:
-              - engineVersion
-              type: object
-            path:
-              type: string
-            secretContext:
-              additionalProperties:
-                type: string
-              type: object
-            secrets:
-              items:
+                type: array
+                x-kubernetes-list-type: set
+              kvSettings:
                 properties:
-                  emptySecret:
-                    type: boolean
-                  encryptedSecret:
+                  casIndex:
+                    minimum: 0
+                    type: integer
+                  engineVersion:
+                    enum:
+                    - v1
+                    - v2
                     type: string
-                  key:
-                    type: string
-                  secretContext:
-                    additionalProperties:
-                      type: string
-                    type: object
                 required:
-                - key
+                - engineVersion
                 type: object
-              type: array
-              x-kubernetes-list-map-keys:
-              - key
-              x-kubernetes-list-type: map
-          required:
-          - kvSettings
-          - path
-          - secrets
-          type: object
-        status:
-          description: KMSVaultSecretStatus defines the observed state of KMSVaultSecret
-          properties:
-            created:
-              type: boolean
-          type: object
-      type: object
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
+              path:
+                type: string
+              secretContext:
+                additionalProperties:
+                  type: string
+                type: object
+              secrets:
+                items:
+                  properties:
+                    emptySecret:
+                      type: boolean
+                    encryptedSecret:
+                      type: string
+                    key:
+                      type: string
+                    secretContext:
+                      additionalProperties:
+                        type: string
+                      type: object
+                  required:
+                  - key
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - key
+                x-kubernetes-list-type: map
+            required:
+            - kvSettings
+            - path
+            - secrets
+            type: object
+          status:
+            description: KMSVaultSecretStatus defines the observed state of KMSVaultSecret
+            properties:
+              created:
+                type: boolean
+            type: object
+        type: object
     served: true
     storage: true
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""