fix: issues with generators (#4163)

* fix: issues with generators

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

* fix generator RBAC permissions for controller

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

* fix docs for UUID generator

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

* update tilt to 0.33.10

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

* explicitly specify generator RBAC roles

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

* update helm test with new entries

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

Makefile

@@ -334,7 +334,7 @@ GOLANGCI_LINT ?= $(LOCALBIN)/golangci-lint
 ## Tool Versions
 GOLANGCI_VERSION := 1.61.0
 KUBERNETES_VERSION := 1.30.x
-TILT_VERSION := 0.33.10
+TILT_VERSION := 0.33.21
 
 .PHONY: envtest
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.

apis/externalsecrets/v1beta1/externalsecret_types.go

@@ -391,6 +391,7 @@ type ExternalSecretSpec struct {
 // from which the secret will be pulled from.
 // You can define at maximum one property.
 // +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
 type StoreSourceRef struct {
 	// +optional
 	SecretStoreRef SecretStoreRef `json:"storeRef,omitempty"`
@@ -406,6 +407,7 @@ type StoreSourceRef struct {
 // from which the secret will be pulled from.
 // You can define at maximum one property.
 // +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
 type StoreGeneratorSourceRef struct {
 	// +optional
 	SecretStoreRef *SecretStoreRef `json:"storeRef,omitempty"`
@@ -420,7 +422,9 @@ type GeneratorRef struct {
 	// Specify the apiVersion of the generator resource
 	// +kubebuilder:default="generators.external-secrets.io/v1alpha1"
 	APIVersion string `json:"apiVersion,omitempty"`
-	// Specify the Kind of the resource, e.g. Password, ACRAccessToken, ClusterGenerator etc.
+
+	// Specify the Kind of the generator resource
+	// +kubebuilder:validation:Enum=ACRAccessToken;ClusterGenerator;ECRAuthorizationToken;Fake;GCRAccessToken;GithubAccessToken;Password;STSSessionToken;UUID;VaultDynamicSecret;Webhook
 	Kind string `json:"kind"`
 
 	// Specify the name of the generator resource

apis/generators/v1alpha1/generator.go → apis/generators/v1alpha1/generator_interfaces.go

@@ -25,6 +25,8 @@ import (
 // +kubebuilder:object:generate:false
 // +k8s:deepcopy-gen:interfaces=nil
 // +k8s:deepcopy-gen=nil
+
+// Generator is the common interface for all generators that is actually used to generate whatever is needed.
 type Generator interface {
 	Generate(
 		ctx context.Context,

apis/generators/v1alpha1/generator_types.go

@@ -14,69 +14,8 @@ limitations under the License.
 
 package v1alpha1
 
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// A couple of constants to define the generator's keys for accessing via Resource map values.
-const (
-	GeneratorGeneratorKey = "generator"
-	GeneratorKindKey      = "kind"
-	GeneratorSpecKey      = "spec"
-)
-
 type ControllerClassResource struct {
 	Spec struct {
 		ControllerClass string `json:"controller"`
 	} `json:"spec"`
 }
-
-type GeneratorSpec struct {
-	// NOTE: when adding new supported generators, make sure to also update
-	//       clusterGeneratorToVirtual() function in pkg/utils/resolvers/generator.go
-	//       so they can be unpacked correctly.
-
-	ACRAccessTokenSpec        *ACRAccessTokenSpec        `json:"acrAccessTokenSpec,omitempty"`
-	ECRAuthorizationTokenSpec *ECRAuthorizationTokenSpec `json:"ecrRAuthorizationTokenSpec,omitempty"`
-	FakeSpec                  *FakeSpec                  `json:"fakeSpec,omitempty"`
-	GCRAccessTokenSpec        *GCRAccessTokenSpec        `json:"gcrAccessTokenSpec,omitempty"`
-	GithubAccessTokenSpec     *GithubAccessTokenSpec     `json:"githubAccessTokenSpec,omitempty"`
-	PasswordSpec              *PasswordSpec              `json:"passwordSpec,omitempty"`
-	STSSessionTokenSpec       *STSSessionTokenSpec       `json:"stsSessionTokenSpec,omitempty"`
-	UUIDSpec                  *UUIDSpec                  `json:"uuidSpec,omitempty"`
-	VaultDynamicSecretSpec    *VaultDynamicSecretSpec    `json:"vaultDynamicSecretSpec,omitempty"`
-	WebhookSpec               *WebhookSpec               `json:"webhookSpec,omitempty"`
-}
-
-type ClusterGeneratorSpec struct {
-	Kind      string        `json:"kind"`
-	Generator GeneratorSpec `json:"generator"`
-}
-
-type ClusterGeneratorStatus struct{}
-
-// +kubebuilder:object:root=true
-// +kubebuilder:storageversion
-
-// ClusterGenerator represents a cluster-wide generator which can be referenced as part of `generatorRef` fields.
-// +kubebuilder:object:root=true
-// +kubebuilder:storageversion
-// +kubebuilder:subresource:status
-// +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:resource:scope=Cluster,categories={external-secrets, external-secrets-generators},shortName=cg
-type ClusterGenerator struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   ClusterGeneratorSpec   `json:"spec,omitempty"`
-	Status ClusterGeneratorStatus `json:"status,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// ClusterGeneratorList contains a list of ClusterGenerator resources.
-type ClusterGeneratorList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ClusterGenerator `json:"items"`
-}

apis/generators/v1alpha1/register.go

@@ -125,13 +125,30 @@ var (
 )
 
 func init() {
+	/*
+		===============================================================================
+		 NOTE: when adding support for new kinds of generators:
+		  1. register the struct types in `SchemeBuilder` (right below this note)
+		  2. update the `kubebuilder:validation:Enum` annotation for GeneratorRef.Kind (apis/externalsecrets/v1beta1/externalsecret_types.go)
+		  3. add it to the imports of (pkg/generator/register/register.go)
+		  4. add it to the ClusterRole called "*-controller" (deploy/charts/external-secrets/templates/rbac.yaml)
+		  5. support it in ClusterGenerator:
+			  - add a new GeneratorKind enum value (apis/generators/v1alpha1/types_cluster.go)
+			  - update the `kubebuilder:validation:Enum` annotation for the GeneratorKind enum
+			  - add a spec field to GeneratorSpec (apis/generators/v1alpha1/types_cluster.go)
+			  - update the clusterGeneratorToVirtual() function (pkg/utils/resolvers/generator.go)
+		===============================================================================
+	*/
+
+	SchemeBuilder.Register(&ACRAccessToken{}, &ACRAccessTokenList{})
+	SchemeBuilder.Register(&ClusterGenerator{}, &ClusterGeneratorList{})
 	SchemeBuilder.Register(&ECRAuthorizationToken{}, &ECRAuthorizationTokenList{})
+	SchemeBuilder.Register(&Fake{}, &FakeList{})
 	SchemeBuilder.Register(&GCRAccessToken{}, &GCRAccessTokenList{})
 	SchemeBuilder.Register(&GithubAccessToken{}, &GithubAccessTokenList{})
-	SchemeBuilder.Register(&ACRAccessToken{}, &ACRAccessTokenList{})
-	SchemeBuilder.Register(&Fake{}, &FakeList{})
-	SchemeBuilder.Register(&VaultDynamicSecret{}, &VaultDynamicSecretList{})
 	SchemeBuilder.Register(&Password{}, &PasswordList{})
+	SchemeBuilder.Register(&STSSessionToken{}, &STSSessionTokenList{})
+	SchemeBuilder.Register(&UUID{}, &UUIDList{})
+	SchemeBuilder.Register(&VaultDynamicSecret{}, &VaultDynamicSecretList{})
 	SchemeBuilder.Register(&Webhook{}, &WebhookList{})
-	SchemeBuilder.Register(&ClusterGenerator{}, &ClusterGeneratorList{})
 }

apis/generators/v1alpha1/generator_acr.go → apis/generators/v1alpha1/types_acr.go

@@ -105,7 +105,7 @@ type AzureACRServicePrincipalAuthSecretRef struct {
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators},shortName=acraccesstoken
+// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators}
 type ACRAccessToken struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

apis/generators/v1alpha1/types_cluster.go

@@ -0,0 +1,81 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type ClusterGeneratorSpec struct {
+	// Kind the kind of this generator.
+	Kind GeneratorKind `json:"kind"`
+
+	// Generator the spec for this generator, must match the kind.
+	Generator GeneratorSpec `json:"generator"`
+}
+
+// GeneratorKind represents a kind of generator.
+// +kubebuilder:validation:Enum=ACRAccessToken;ECRAuthorizationToken;Fake;GCRAccessToken;GithubAccessToken;Password;STSSessionToken;UUID;VaultDynamicSecret;Webhook
+type GeneratorKind string
+
+const (
+	GeneratorKindACRAccessToken        GeneratorKind = "ACRAccessToken"
+	GeneratorKindECRAuthorizationToken GeneratorKind = "ECRAuthorizationToken"
+	GeneratorKindFake                  GeneratorKind = "Fake"
+	GeneratorKindGCRAccessToken        GeneratorKind = "GCRAccessToken"
+	GeneratorKindGithubAccessToken     GeneratorKind = "GithubAccessToken"
+	GeneratorKindPassword              GeneratorKind = "Password"
+	GeneratorKindSTSSessionToken       GeneratorKind = "STSSessionToken"
+	GeneratorKindUUID                  GeneratorKind = "UUID"
+	GeneratorKindVaultDynamicSecret    GeneratorKind = "VaultDynamicSecret"
+	GeneratorKindWebhook               GeneratorKind = "Webhook"
+)
+
+// +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
+type GeneratorSpec struct {
+	ACRAccessTokenSpec        *ACRAccessTokenSpec        `json:"acrAccessTokenSpec,omitempty"`
+	ECRAuthorizationTokenSpec *ECRAuthorizationTokenSpec `json:"ecrRAuthorizationTokenSpec,omitempty"`
+	FakeSpec                  *FakeSpec                  `json:"fakeSpec,omitempty"`
+	GCRAccessTokenSpec        *GCRAccessTokenSpec        `json:"gcrAccessTokenSpec,omitempty"`
+	GithubAccessTokenSpec     *GithubAccessTokenSpec     `json:"githubAccessTokenSpec,omitempty"`
+	PasswordSpec              *PasswordSpec              `json:"passwordSpec,omitempty"`
+	STSSessionTokenSpec       *STSSessionTokenSpec       `json:"stsSessionTokenSpec,omitempty"`
+	UUIDSpec                  *UUIDSpec                  `json:"uuidSpec,omitempty"`
+	VaultDynamicSecretSpec    *VaultDynamicSecretSpec    `json:"vaultDynamicSecretSpec,omitempty"`
+	WebhookSpec               *WebhookSpec               `json:"webhookSpec,omitempty"`
+}
+
+// ClusterGenerator represents a cluster-wide generator which can be referenced as part of `generatorRef` fields.
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:labels="external-secrets.io/component=controller"
+// +kubebuilder:resource:scope=Cluster,categories={external-secrets, external-secrets-generators}
+type ClusterGenerator struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ClusterGeneratorSpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ClusterGeneratorList contains a list of ClusterGenerator resources.
+type ClusterGeneratorList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterGenerator `json:"items"`
+}

apis/generators/v1alpha1/generator_ecr.go → apis/generators/v1alpha1/types_ecr.go

@@ -75,7 +75,7 @@ type AWSJWTAuth struct {
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators},shortName=ecrauthorizationtoken
+// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators}
 type ECRAuthorizationToken struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

apis/generators/v1alpha1/generator_fake.go → apis/generators/v1alpha1/types_fake.go

@@ -36,7 +36,7 @@ type FakeSpec struct {
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators},shortName=fake
+// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators}
 type Fake struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

apis/generators/v1alpha1/generator_gcr.go → apis/generators/v1alpha1/types_gcr.go

@@ -53,7 +53,7 @@ type GCPWorkloadIdentity struct {
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators},shortName=gcraccesstoken
+// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators}
 type GCRAccessToken struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

apis/generators/v1alpha1/generator_github.go → apis/generators/v1alpha1/types_github.go

@@ -47,7 +47,7 @@ type GithubSecretRef struct {
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators},shortName=githubaccesstoken
+// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators}
 type GithubAccessToken struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

apis/generators/v1alpha1/generator_password.go → apis/generators/v1alpha1/types_password.go

@@ -53,7 +53,7 @@ type PasswordSpec struct {
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators},shortName=password
+// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators}
 type Password struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

apis/generators/v1alpha1/generator_sts.go → apis/generators/v1alpha1/types_sts.go

@@ -62,7 +62,7 @@ type STSSessionTokenSpec struct {
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators},shortName=stssessiontoken
+// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators}
 type STSSessionToken struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

apis/generators/v1alpha1/generator_uuid.go → apis/generators/v1alpha1/types_uuid.go

@@ -26,7 +26,7 @@ type UUIDSpec struct{}
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators},shortName=uuids
+// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators}
 type UUID struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -40,5 +40,5 @@ type UUID struct {
 type UUIDList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []Password `json:"items"`
+	Items           []UUID `json:"items"`
 }

apis/generators/v1alpha1/generator_vault.go → apis/generators/v1alpha1/types_vault.go

@@ -64,7 +64,7 @@ const (
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators},shortName=vaultdynamicsecret
+// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators}
 type VaultDynamicSecret struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

apis/generators/v1alpha1/generator_webhook.go → apis/generators/v1alpha1/types_webhook.go

@@ -129,7 +129,7 @@ type SecretKeySelector struct {
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators},shortName=webhookl
+// +kubebuilder:resource:scope=Namespaced,categories={external-secrets, external-secrets-generators}
 type Webhook struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

apis/generators/v1alpha1/zz_generated.deepcopy.go

@@ -271,7 +271,6 @@ func (in *ClusterGenerator) DeepCopyInto(out *ClusterGenerator) {
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
-	out.Status = in.Status
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterGenerator.
@@ -340,21 +339,6 @@ func (in *ClusterGeneratorSpec) DeepCopy() *ClusterGeneratorSpec {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterGeneratorStatus) DeepCopyInto(out *ClusterGeneratorStatus) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterGeneratorStatus.
-func (in *ClusterGeneratorStatus) DeepCopy() *ClusterGeneratorStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterGeneratorStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ControllerClassResource) DeepCopyInto(out *ControllerClassResource) {
 	*out = *in
@@ -1084,7 +1068,7 @@ func (in *UUIDList) DeepCopyInto(out *UUIDList) {
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]Password, len(*in))
+		*out = make([]UUID, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}

config/crds/bases/external-secrets.io_clusterexternalsecrets.yaml

@@ -142,6 +142,7 @@ spec:
                             SourceRef allows you to override the source
                             from which the value will be pulled.
                           maxProperties: 1
+                          minProperties: 1
                           properties:
                             generatorRef:
                               description: |-
@@ -156,8 +157,19 @@ spec:
                                     resource
                                   type: string
                                 kind:
-                                  description: Specify the Kind of the resource, e.g.
-                                    Password, ACRAccessToken, ClusterGenerator etc.
+                                  description: Specify the Kind of the generator resource
+                                  enum:
+                                  - ACRAccessToken
+                                  - ClusterGenerator
+                                  - ECRAuthorizationToken
+                                  - Fake
+                                  - GCRAccessToken
+                                  - GithubAccessToken
+                                  - Password
+                                  - STSSessionToken
+                                  - UUID
+                                  - VaultDynamicSecret
+                                  - Webhook
                                   type: string
                                 name:
                                   description: Specify the name of the generator resource
@@ -328,6 +340,7 @@ spec:
                             When sourceRef points to a generator Extract or Find is not supported.
                             The generator returns a static map of values
                           maxProperties: 1
+                          minProperties: 1
                           properties:
                             generatorRef:
                               description: GeneratorRef points to a generator custom
@@ -339,8 +352,19 @@ spec:
                                     resource
                                   type: string
                                 kind:
-                                  description: Specify the Kind of the resource, e.g.
-                                    Password, ACRAccessToken, ClusterGenerator etc.
+                                  description: Specify the Kind of the generator resource
+                                  enum:
+                                  - ACRAccessToken
+                                  - ClusterGenerator
+                                  - ECRAuthorizationToken
+                                  - Fake
+                                  - GCRAccessToken
+                                  - GithubAccessToken
+                                  - Password
+                                  - STSSessionToken
+                                  - UUID
+                                  - VaultDynamicSecret
+                                  - Webhook
                                   type: string
                                 name:
                                   description: Specify the name of the generator resource

config/crds/bases/external-secrets.io_externalsecrets.yaml

@@ -432,6 +432,7 @@ spec:
                         SourceRef allows you to override the source
                         from which the value will be pulled.
                       maxProperties: 1
+                      minProperties: 1
                       properties:
                         generatorRef:
                           description: |-
@@ -446,8 +447,19 @@ spec:
                                 resource
                               type: string
                             kind:
-                              description: Specify the Kind of the resource, e.g.
-                                Password, ACRAccessToken, ClusterGenerator etc.
+                              description: Specify the Kind of the generator resource
+                              enum:
+                              - ACRAccessToken
+                              - ClusterGenerator
+                              - ECRAuthorizationToken
+                              - Fake
+                              - GCRAccessToken
+                              - GithubAccessToken
+                              - Password
+                              - STSSessionToken
+                              - UUID
+                              - VaultDynamicSecret
+                              - Webhook
                               type: string
                             name:
                               description: Specify the name of the generator resource
@@ -618,6 +630,7 @@ spec:
                         When sourceRef points to a generator Extract or Find is not supported.
                         The generator returns a static map of values
                       maxProperties: 1
+                      minProperties: 1
                       properties:
                         generatorRef:
                           description: GeneratorRef points to a generator custom resource.
@@ -628,8 +641,19 @@ spec:
                                 resource
                               type: string
                             kind:
-                              description: Specify the Kind of the resource, e.g.
-                                Password, ACRAccessToken, ClusterGenerator etc.
+                              description: Specify the Kind of the generator resource
+                              enum:
+                              - ACRAccessToken
+                              - ClusterGenerator
+                              - ECRAuthorizationToken
+                              - Fake
+                              - GCRAccessToken
+                              - GithubAccessToken
+                              - Password
+                              - STSSessionToken
+                              - UUID
+                              - VaultDynamicSecret
+                              - Webhook
                               type: string
                             name:
                               description: Specify the name of the generator resource

config/crds/bases/external-secrets.io_pushsecrets.yaml

@@ -180,8 +180,19 @@ spec:
                         description: Specify the apiVersion of the generator resource
                         type: string
                       kind:
-                        description: Specify the Kind of the resource, e.g. Password,
-                          ACRAccessToken, ClusterGenerator etc.
+                        description: Specify the Kind of the generator resource
+                        enum:
+                        - ACRAccessToken
+                        - ClusterGenerator
+                        - ECRAuthorizationToken
+                        - Fake
+                        - GCRAccessToken
+                        - GithubAccessToken
+                        - Password
+                        - STSSessionToken
+                        - UUID
+                        - VaultDynamicSecret
+                        - Webhook
                         type: string
                       name:
                         description: Specify the name of the generator resource

config/crds/bases/generators.external-secrets.io_acraccesstokens.yaml

@@ -15,8 +15,6 @@ spec:
     kind: ACRAccessToken
     listKind: ACRAccessTokenList
     plural: acraccesstokens
-    shortNames:
-    - acraccesstoken
     singular: acraccesstoken
   scope: Namespaced
   versions:

config/crds/bases/generators.external-secrets.io_clustergenerators.yaml

@@ -15,8 +15,6 @@ spec:
     kind: ClusterGenerator
     listKind: ClusterGeneratorList
     plural: clustergenerators
-    shortNames:
-    - cg
     singular: clustergenerator
   scope: Cluster
   versions:
@@ -46,6 +44,10 @@ spec:
           spec:
             properties:
               generator:
+                description: Generator the spec for this generator, must match the
+                  kind.
+                maxProperties: 1
+                minProperties: 1
                 properties:
                   acrAccessTokenSpec:
                     description: |-
@@ -1676,13 +1678,23 @@ spec:
                     type: object
                 type: object
               kind:
+                description: Kind the kind of this generator.
+                enum:
+                - ACRAccessToken
+                - ECRAuthorizationToken
+                - Fake
+                - GCRAccessToken
+                - GithubAccessToken
+                - Password
+                - STSSessionToken
+                - UUID
+                - VaultDynamicSecret
+                - Webhook
                 type: string
             required:
             - generator
             - kind
             type: object
-          status:
-            type: object
         type: object
     served: true
     storage: true

config/crds/bases/generators.external-secrets.io_ecrauthorizationtokens.yaml

@@ -15,8 +15,6 @@ spec:
     kind: ECRAuthorizationToken
     listKind: ECRAuthorizationTokenList
     plural: ecrauthorizationtokens
-    shortNames:
-    - ecrauthorizationtoken
     singular: ecrauthorizationtoken
   scope: Namespaced
   versions:

config/crds/bases/generators.external-secrets.io_fakes.yaml

@@ -15,8 +15,6 @@ spec:
     kind: Fake
     listKind: FakeList
     plural: fakes
-    shortNames:
-    - fake
     singular: fake
   scope: Namespaced
   versions:

config/crds/bases/generators.external-secrets.io_gcraccesstokens.yaml

@@ -15,8 +15,6 @@ spec:
     kind: GCRAccessToken
     listKind: GCRAccessTokenList
     plural: gcraccesstokens
-    shortNames:
-    - gcraccesstoken
     singular: gcraccesstoken
   scope: Namespaced
   versions:

config/crds/bases/generators.external-secrets.io_githubaccesstokens.yaml

@@ -15,8 +15,6 @@ spec:
     kind: GithubAccessToken
     listKind: GithubAccessTokenList
     plural: githubaccesstokens
-    shortNames:
-    - githubaccesstoken
     singular: githubaccesstoken
   scope: Namespaced
   versions:

config/crds/bases/generators.external-secrets.io_passwords.yaml

@@ -15,8 +15,6 @@ spec:
     kind: Password
     listKind: PasswordList
     plural: passwords
-    shortNames:
-    - password
     singular: password
   scope: Namespaced
   versions:

config/crds/bases/generators.external-secrets.io_stssessiontokens.yaml

@@ -15,8 +15,6 @@ spec:
     kind: STSSessionToken
     listKind: STSSessionTokenList
     plural: stssessiontokens
-    shortNames:
-    - stssessiontoken
     singular: stssessiontoken
   scope: Namespaced
   versions:

config/crds/bases/generators.external-secrets.io_uuids.yaml

@@ -15,8 +15,6 @@ spec:
     kind: UUID
     listKind: UUIDList
     plural: uuids
-    shortNames:
-    - uuids
     singular: uuid
   scope: Namespaced
   versions:

config/crds/bases/generators.external-secrets.io_vaultdynamicsecrets.yaml

@@ -15,8 +15,6 @@ spec:
     kind: VaultDynamicSecret
     listKind: VaultDynamicSecretList
     plural: vaultdynamicsecrets
-    shortNames:
-    - vaultdynamicsecret
     singular: vaultdynamicsecret
   scope: Namespaced
   versions:

config/crds/bases/generators.external-secrets.io_webhooks.yaml

@@ -15,8 +15,6 @@ spec:
     kind: Webhook
     listKind: WebhookList
     plural: webhooks
-    shortNames:
-    - webhookl
     singular: webhook
   scope: Namespaced
   versions:

deploy/charts/external-secrets/templates/rbac.yaml

@@ -57,6 +57,8 @@ rules:
     - "gcraccesstokens"
     - "githubaccesstokens"
     - "passwords"
+    - "stssessiontokens"
+    - "uuids"
     - "vaultdynamicsecrets"
     - "webhooks"
     verbs:

deploy/crds/bundle.yaml

@@ -133,6 +133,7 @@ spec:
                               SourceRef allows you to override the source
                               from which the value will be pulled.
                             maxProperties: 1
+                            minProperties: 1
                             properties:
                               generatorRef:
                                 description: |-
@@ -146,7 +147,19 @@ spec:
                                     description: Specify the apiVersion of the generator resource
                                     type: string
                                   kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken, ClusterGenerator etc.
+                                    description: Specify the Kind of the generator resource
+                                    enum:
+                                      - ACRAccessToken
+                                      - ClusterGenerator
+                                      - ECRAuthorizationToken
+                                      - Fake
+                                      - GCRAccessToken
+                                      - GithubAccessToken
+                                      - Password
+                                      - STSSessionToken
+                                      - UUID
+                                      - VaultDynamicSecret
+                                      - Webhook
                                     type: string
                                   name:
                                     description: Specify the name of the generator resource
@@ -310,6 +323,7 @@ spec:
                               When sourceRef points to a generator Extract or Find is not supported.
                               The generator returns a static map of values
                             maxProperties: 1
+                            minProperties: 1
                             properties:
                               generatorRef:
                                 description: GeneratorRef points to a generator custom resource.
@@ -319,7 +333,19 @@ spec:
                                     description: Specify the apiVersion of the generator resource
                                     type: string
                                   kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken, ClusterGenerator etc.
+                                    description: Specify the Kind of the generator resource
+                                    enum:
+                                      - ACRAccessToken
+                                      - ClusterGenerator
+                                      - ECRAuthorizationToken
+                                      - Fake
+                                      - GCRAccessToken
+                                      - GithubAccessToken
+                                      - Password
+                                      - STSSessionToken
+                                      - UUID
+                                      - VaultDynamicSecret
+                                      - Webhook
                                     type: string
                                   name:
                                     description: Specify the name of the generator resource
@@ -6891,6 +6917,7 @@ spec:
                           SourceRef allows you to override the source
                           from which the value will be pulled.
                         maxProperties: 1
+                        minProperties: 1
                         properties:
                           generatorRef:
                             description: |-
@@ -6904,7 +6931,19 @@ spec:
                                 description: Specify the apiVersion of the generator resource
                                 type: string
                               kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken, ClusterGenerator etc.
+                                description: Specify the Kind of the generator resource
+                                enum:
+                                  - ACRAccessToken
+                                  - ClusterGenerator
+                                  - ECRAuthorizationToken
+                                  - Fake
+                                  - GCRAccessToken
+                                  - GithubAccessToken
+                                  - Password
+                                  - STSSessionToken
+                                  - UUID
+                                  - VaultDynamicSecret
+                                  - Webhook
                                 type: string
                               name:
                                 description: Specify the name of the generator resource
@@ -7068,6 +7107,7 @@ spec:
                           When sourceRef points to a generator Extract or Find is not supported.
                           The generator returns a static map of values
                         maxProperties: 1
+                        minProperties: 1
                         properties:
                           generatorRef:
                             description: GeneratorRef points to a generator custom resource.
@@ -7077,7 +7117,19 @@ spec:
                                 description: Specify the apiVersion of the generator resource
                                 type: string
                               kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken, ClusterGenerator etc.
+                                description: Specify the Kind of the generator resource
+                                enum:
+                                  - ACRAccessToken
+                                  - ClusterGenerator
+                                  - ECRAuthorizationToken
+                                  - Fake
+                                  - GCRAccessToken
+                                  - GithubAccessToken
+                                  - Password
+                                  - STSSessionToken
+                                  - UUID
+                                  - VaultDynamicSecret
+                                  - Webhook
                                 type: string
                               name:
                                 description: Specify the name of the generator resource
@@ -7533,7 +7585,19 @@ spec:
                           description: Specify the apiVersion of the generator resource
                           type: string
                         kind:
-                          description: Specify the Kind of the resource, e.g. Password, ACRAccessToken, ClusterGenerator etc.
+                          description: Specify the Kind of the generator resource
+                          enum:
+                            - ACRAccessToken
+                            - ClusterGenerator
+                            - ECRAuthorizationToken
+                            - Fake
+                            - GCRAccessToken
+                            - GithubAccessToken
+                            - Password
+                            - STSSessionToken
+                            - UUID
+                            - VaultDynamicSecret
+                            - Webhook
                           type: string
                         name:
                           description: Specify the name of the generator resource
@@ -13573,8 +13637,6 @@ spec:
     kind: ACRAccessToken
     listKind: ACRAccessTokenList
     plural: acraccesstokens
-    shortNames:
-      - acraccesstoken
     singular: acraccesstoken
   scope: Namespaced
   versions:
@@ -13792,8 +13854,6 @@ spec:
     kind: ClusterGenerator
     listKind: ClusterGeneratorList
     plural: clustergenerators
-    shortNames:
-      - cg
     singular: clustergenerator
   scope: Cluster
   versions:
@@ -13822,6 +13882,9 @@ spec:
             spec:
               properties:
                 generator:
+                  description: Generator the spec for this generator, must match the kind.
+                  maxProperties: 1
+                  minProperties: 1
                   properties:
                     acrAccessTokenSpec:
                       description: |-
@@ -15375,13 +15438,23 @@ spec:
                       type: object
                   type: object
                 kind:
+                  description: Kind the kind of this generator.
+                  enum:
+                    - ACRAccessToken
+                    - ECRAuthorizationToken
+                    - Fake
+                    - GCRAccessToken
+                    - GithubAccessToken
+                    - Password
+                    - STSSessionToken
+                    - UUID
+                    - VaultDynamicSecret
+                    - Webhook
                   type: string
               required:
                 - generator
                 - kind
               type: object
-            status:
-              type: object
           type: object
       served: true
       storage: true
@@ -15415,8 +15488,6 @@ spec:
     kind: ECRAuthorizationToken
     listKind: ECRAuthorizationTokenList
     plural: ecrauthorizationtokens
-    shortNames:
-      - ecrauthorizationtoken
     singular: ecrauthorizationtoken
   scope: Namespaced
   versions:
@@ -15617,8 +15688,6 @@ spec:
     kind: Fake
     listKind: FakeList
     plural: fakes
-    shortNames:
-      - fake
     singular: fake
   scope: Namespaced
   versions:
@@ -15695,8 +15764,6 @@ spec:
     kind: GCRAccessToken
     listKind: GCRAccessTokenList
     plural: gcraccesstokens
-    shortNames:
-      - gcraccesstoken
     singular: gcraccesstoken
   scope: Namespaced
   versions:
@@ -15840,8 +15907,6 @@ spec:
     kind: GithubAccessToken
     listKind: GithubAccessTokenList
     plural: githubaccesstokens
-    shortNames:
-      - githubaccesstoken
     singular: githubaccesstoken
   scope: Namespaced
   versions:
@@ -15965,8 +16030,6 @@ spec:
     kind: Password
     listKind: PasswordList
     plural: passwords
-    shortNames:
-      - password
     singular: password
   scope: Namespaced
   versions:
@@ -16065,8 +16128,6 @@ spec:
     kind: STSSessionToken
     listKind: STSSessionTokenList
     plural: stssessiontokens
-    shortNames:
-      - stssessiontoken
     singular: stssessiontoken
   scope: Namespaced
   versions:
@@ -16286,8 +16347,6 @@ spec:
     kind: UUID
     listKind: UUIDList
     plural: uuids
-    shortNames:
-      - uuids
     singular: uuid
   scope: Namespaced
   versions:
@@ -16349,8 +16408,6 @@ spec:
     kind: VaultDynamicSecret
     listKind: VaultDynamicSecretList
     plural: vaultdynamicsecrets
-    shortNames:
-      - vaultdynamicsecret
     singular: vaultdynamicsecret
   scope: Namespaced
   versions:
@@ -17210,8 +17267,6 @@ spec:
     kind: Webhook
     listKind: WebhookList
     plural: webhooks
-    shortNames:
-      - webhookl
     singular: webhook
   scope: Namespaced
   versions:

docs/api/spec.md

@@ -4584,7 +4584,7 @@ string
 </em>
 </td>
 <td>
-<p>Specify the Kind of the resource, e.g. Password, ACRAccessToken, ClusterGenerator etc.</p>
+<p>Specify the Kind of the generator resource</p>
 </td>
 </tr>
 <tr>

docs/snippets/generator-uuid-example.yaml

@@ -10,5 +10,5 @@ spec:
     - sourceRef:
         generatorRef:
           apiVersion: generators.external-secrets.io/v1alpha1
-          kind: Uuid
+          kind: UUID
           name: "my-uuid"

docs/snippets/generator-uuid.yaml

@@ -1,5 +1,5 @@
 apiVersion: generators.external-secrets.io/v1alpha1
-kind: Uuid
+kind: UUID
 metadata:
   name: my-uuid
 spec: {}

pkg/generator/register/register.go

@@ -23,6 +23,8 @@ import (
 	_ "github.com/external-secrets/external-secrets/pkg/generator/gcr"
 	_ "github.com/external-secrets/external-secrets/pkg/generator/github"
 	_ "github.com/external-secrets/external-secrets/pkg/generator/password"
+	_ "github.com/external-secrets/external-secrets/pkg/generator/sts"
+	_ "github.com/external-secrets/external-secrets/pkg/generator/uuid"
 	_ "github.com/external-secrets/external-secrets/pkg/generator/vault"
 	_ "github.com/external-secrets/external-secrets/pkg/generator/webhook"
 )

pkg/generator/sts/sts.go

@@ -110,5 +110,5 @@ func parseSpec(data []byte) (*genv1alpha1.STSSessionToken, error) {
 }
 
 func init() {
-	genv1alpha1.Register(genv1alpha1.STSSessionTokenGroupKind, &Generator{})
+	genv1alpha1.Register(genv1alpha1.STSSessionTokenKind, &Generator{})
 }

pkg/utils/resolvers/generator.go

@@ -94,7 +94,7 @@ func getGenerator(ctx context.Context, cl client.Client, scheme *runtime.Scheme,
 
 		// get the generator interface
 		var ok bool
-		generator, ok = genv1alpha1.GetGeneratorByName(clusterGenerator.Spec.Kind)
+		generator, ok = genv1alpha1.GetGeneratorByName(string(clusterGenerator.Spec.Kind))
 		if !ok {
 			return nil, nil, reconcile.TerminalError(fmt.Errorf("ClusterGenerator has unknown kind %s", clusterGenerator.Spec.Kind))
 		}
@@ -138,70 +138,70 @@ func getGenerator(ctx context.Context, cl client.Client, scheme *runtime.Scheme,
 // clusterGeneratorToVirtual converts a ClusterGenerator to a "virtual" namespaced generator that doesn't actually exist in the API.
 func clusterGeneratorToVirtual(gen *genv1alpha1.ClusterGenerator) (client.Object, error) {
 	switch gen.Spec.Kind {
-	case genv1alpha1.ACRAccessTokenKind:
+	case genv1alpha1.GeneratorKindACRAccessToken:
 		if gen.Spec.Generator.ACRAccessTokenSpec == nil {
 			return nil, fmt.Errorf("when kind is %s, ACRAccessTokenSpec must be set", gen.Spec.Kind)
 		}
 		return &genv1alpha1.ACRAccessToken{
 			Spec: *gen.Spec.Generator.ACRAccessTokenSpec,
 		}, nil
-	case genv1alpha1.ECRAuthorizationTokenKind:
+	case genv1alpha1.GeneratorKindECRAuthorizationToken:
 		if gen.Spec.Generator.ECRAuthorizationTokenSpec == nil {
 			return nil, fmt.Errorf("when kind is %s, ECRAuthorizationTokenSpec must be set", gen.Spec.Kind)
 		}
 		return &genv1alpha1.ECRAuthorizationToken{
 			Spec: *gen.Spec.Generator.ECRAuthorizationTokenSpec,
 		}, nil
-	case genv1alpha1.FakeKind:
+	case genv1alpha1.GeneratorKindFake:
 		if gen.Spec.Generator.FakeSpec == nil {
 			return nil, fmt.Errorf("when kind is %s, FakeSpec must be set", gen.Spec.Kind)
 		}
 		return &genv1alpha1.Fake{
 			Spec: *gen.Spec.Generator.FakeSpec,
 		}, nil
-	case genv1alpha1.GCRAccessTokenKind:
+	case genv1alpha1.GeneratorKindGCRAccessToken:
 		if gen.Spec.Generator.GCRAccessTokenSpec == nil {
 			return nil, fmt.Errorf("when kind is %s, GCRAccessTokenSpec must be set", gen.Spec.Kind)
 		}
 		return &genv1alpha1.GCRAccessToken{
 			Spec: *gen.Spec.Generator.GCRAccessTokenSpec,
 		}, nil
-	case genv1alpha1.GithubAccessTokenKind:
+	case genv1alpha1.GeneratorKindGithubAccessToken:
 		if gen.Spec.Generator.GithubAccessTokenSpec == nil {
 			return nil, fmt.Errorf("when kind is %s, GithubAccessTokenSpec must be set", gen.Spec.Kind)
 		}
 		return &genv1alpha1.GithubAccessToken{
 			Spec: *gen.Spec.Generator.GithubAccessTokenSpec,
 		}, nil
-	case genv1alpha1.PasswordKind:
+	case genv1alpha1.GeneratorKindPassword:
 		if gen.Spec.Generator.PasswordSpec == nil {
 			return nil, fmt.Errorf("when kind is %s, PasswordSpec must be set", gen.Spec.Kind)
 		}
 		return &genv1alpha1.Password{
 			Spec: *gen.Spec.Generator.PasswordSpec,
 		}, nil
-	case genv1alpha1.STSSessionTokenKind:
+	case genv1alpha1.GeneratorKindSTSSessionToken:
 		if gen.Spec.Generator.STSSessionTokenSpec == nil {
 			return nil, fmt.Errorf("when kind is %s, STSSessionTokenSpec must be set", gen.Spec.Kind)
 		}
 		return &genv1alpha1.STSSessionToken{
 			Spec: *gen.Spec.Generator.STSSessionTokenSpec,
 		}, nil
-	case genv1alpha1.UUIDKind:
+	case genv1alpha1.GeneratorKindUUID:
 		if gen.Spec.Generator.UUIDSpec == nil {
 			return nil, fmt.Errorf("when kind is %s, UUIDSpec must be set", gen.Spec.Kind)
 		}
 		return &genv1alpha1.UUID{
 			Spec: *gen.Spec.Generator.UUIDSpec,
 		}, nil
-	case genv1alpha1.VaultDynamicSecretKind:
+	case genv1alpha1.GeneratorKindVaultDynamicSecret:
 		if gen.Spec.Generator.VaultDynamicSecretSpec == nil {
 			return nil, fmt.Errorf("when kind is %s, VaultDynamicSecretSpec must be set", gen.Spec.Kind)
 		}
 		return &genv1alpha1.VaultDynamicSecret{
 			Spec: *gen.Spec.Generator.VaultDynamicSecretSpec,
 		}, nil
-	case genv1alpha1.WebhookKind:
+	case genv1alpha1.GeneratorKindWebhook:
 		if gen.Spec.Generator.WebhookSpec == nil {
 			return nil, fmt.Errorf("when kind is %s, WebhookSpec must be set", gen.Spec.Kind)
 		}