Closed
Conversation
1db8786 to
854e72c
Compare
Skarlso
reviewed
Jan 10, 2024
moolen
reviewed
Jan 12, 2024
Member
moolen
left a comment
There was a problem hiding this comment.
I think that your proposal to create access tokens for GitHub App installations would better fit for a Generator API:
https://external-secrets.io/latest/guides/generator/
Comment on lines
+27
to
+36
| Auth GithubAuth `json:"auth"` | ||
| } | ||
|
|
||
| type GithubAuth struct { | ||
| SecretRef GithubSecretRef `json:"secretRef"` | ||
| } | ||
|
|
||
| type GithubSecretRef struct { | ||
| PrivatKey esmeta.SecretKeySelector `json:"privatKey"` | ||
| } |
Member
There was a problem hiding this comment.
I think this can be improved, the secretRef isn't needed, i suggest:
auth:
privateKey:
secretRef: {} # ...
Contributor
Author
There was a problem hiding this comment.
can you please elaborate why secretRef can be omitted?
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: github-secret-stor
namespace: external-secrets
spec:
provider:
github:
appID: "0000000"
installID: "00000000"
auth:
SecretRef:
privatKey:
name: github-app-pem
key: key
Member
There was a problem hiding this comment.
I suggest to swap both secretRef and privateKey. In case there is another way to fetch a privateKey or there is a different way to authenticate we can easier extend it that way.
The auth node contains different authentication strategies, privateKey is one of them. You can fetch the private key through a secretRef.
Hi, your suggestion looks reasonable, thank you for your advice. |
5db325c to
c6167ec
Compare
…pplication private key Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Michael Serchenia <76994369+mike-serchenia@users.noreply.github.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com> Signed-off-by: Michael Serchenia <76994369+mike-serchenia@users.noreply.github.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Co-authored-by: Moritz Johner <moolen@users.noreply.github.com> Signed-off-by: Michael Serchenia <76994369+mike-serchenia@users.noreply.github.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
…teKey Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com> Co-authored-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
…l-secrets#3040) Bumps alpine from `13b7e62` to `51b6726`. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
…l-secrets#3038) Bumps golang from `04cf306` to `c4b696f`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
…cs (external-secrets#3043) Bumps [mkdocs-material](https://github.com/squidfunk/mkdocs-material) from 9.5.3 to 9.5.4. - [Release notes](https://github.com/squidfunk/mkdocs-material/releases) - [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG) - [Commits](squidfunk/mkdocs-material@9.5.3...9.5.4) --- updated-dependencies: - dependency-name: mkdocs-material dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
…-secrets#3045) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.2 to 2.3.1. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@e38b190...0864cf1) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
…ernal-secrets#3054) The snippet[1] was not aligning with the schema defined in CRD. [1] https://external-secrets.io/latest/guides/security-best-practices/ Signed-off-by: kyasbal <kyasbal1994@gmail.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
* chore: refactor/centralise secretKeyRef usage Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
…secrets#3058) This allows providers to issue warnings, e.g. during a migration/deprecation period Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
…l-secrets#3039) Bumps alpine from 3.18 to 3.19. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
…crets#3063) Bumps [mkdocs-minify-plugin](https://github.com/byrnereese/mkdocs-minify-plugin) from 0.5.0 to 0.7.2. - [Release notes](https://github.com/byrnereese/mkdocs-minify-plugin/releases) - [Commits](byrnereese/mkdocs-minify-plugin@0.5.0...0.7.2) --- updated-dependencies: - dependency-name: mkdocs-minify-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
…xternal-secrets#3062) Bumps [markupsafe](https://github.com/pallets/markupsafe) from 2.1.3 to 2.1.4. - [Release notes](https://github.com/pallets/markupsafe/releases) - [Changelog](https://github.com/pallets/markupsafe/blob/main/CHANGES.rst) - [Commits](pallets/markupsafe@2.1.3...2.1.4) --- updated-dependencies: - dependency-name: markupsafe dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
* update dependencies Signed-off-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com> * fix: re-generate CRDs with new controller-runtime version Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> --------- Signed-off-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com> Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: External Secrets Operator <ExternalSecretsOperator@users.noreply.github.com> Co-authored-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
* added metrics support for akeyles Signed-off-by: Sai Charan Godasi <saicharangodasi@Sais-MacBook-Air.local>
Bump to v2 to address CVE-2024-21664. Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
…ernal-secrets#3078) * remove deprecated code for fetching secret by name Signed-off-by: shanti.gundumalla@ibm.com <shanti.gundumalla@ibm.com> * update the documentation Signed-off-by: shanti.gundumalla@ibm.com <shanti.gundumalla@ibm.com> * fix linting Signed-off-by: shanti.gundumalla@ibm.com <shanti.gundumalla@ibm.com> --------- Signed-off-by: shanti.gundumalla@ibm.com <shanti.gundumalla@ibm.com> Co-authored-by: shanti.gundumalla@ibm.com <shanti.gundumalla@ibm.com> Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
…dated ValidateStore func Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
4151253 to
b9196a6
Compare
Signed-off-by: Michael Serchenia <76994369+mike-serchenia@users.noreply.github.com>
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
|
Contributor
Author
|
@moolen I also plan to extend github provider to pull github secrets and vars in a few next iterantions. I may have issue with DCO signoff |
mike-serchenia
added a commit
to mike-serchenia/external-secrets
that referenced
this pull request
Feb 5, 2024
Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
5 tasks
Contributor
Author
|
@moolen, I moved changes to the new PR and properly sign , can you please check and approve or comment the new PR |
Skarlso
pushed a commit
that referenced
this pull request
Apr 3, 2024
* github provider signed, supersedes #3014 Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * tests pass, + crd + docs Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * fix sonarLint alert Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * refactoring, replace secretStore with generator Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * cosmetics + tst + lint pass Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * docs Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * clean-up + lint + test Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * small refactor, fix issues left in comments Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> --------- Signed-off-by: Mike Serchenia <michael_serchenia@epam.com>
Bude8
pushed a commit
to Bude8/external-secrets
that referenced
this pull request
Jun 13, 2024
…3115) * github provider signed, supersedes external-secrets#3014 Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * tests pass, + crd + docs Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * fix sonarLint alert Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * refactoring, replace secretStore with generator Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * cosmetics + tst + lint pass Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * docs Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * clean-up + lint + test Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * small refactor, fix issues left in comments Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> --------- Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> Signed-off-by: Bude8 <henryblee8@gmail.com>
pacificcode
pushed a commit
to pacificcode/external-secrets
that referenced
this pull request
Jul 3, 2024
…3115) * github provider signed, supersedes external-secrets#3014 Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * tests pass, + crd + docs Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * fix sonarLint alert Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * refactoring, replace secretStore with generator Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * cosmetics + tst + lint pass Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * docs Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * clean-up + lint + test Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> * small refactor, fix issues left in comments Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> --------- Signed-off-by: Mike Serchenia <michael_serchenia@epam.com> Signed-off-by: Bill Hamilton <bill.hamilton@delinea.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I'd like to propose new provider
Github.I uses Github application privateKey and appID to get github
accessTokenof formatghs_*The token can be used to access GH repositories, pull/push to registry, etc.
Can be used for tekton auth with GH instead of using personal access tokens'
Checklist
git commit --signoffmake testmake reviewable