feat: introduce store deprecation (#5711)

apis/externalsecrets/v1/provider_schema_maintenance.go

@@ -22,12 +22,13 @@ import (
 )
 
 // MaintenanceStatus defines a type for different maintenance states of a provider schema.
-type MaintenanceStatus bool
+type MaintenanceStatus string
 
 // These are the defined maintenance states for a provider schema.
 const (
-	MaintenanceStatusMaintained    MaintenanceStatus = true
-	MaintenanceStatusNotMaintained MaintenanceStatus = false
+	MaintenanceStatusMaintained    MaintenanceStatus = "Maintained"
+	MaintenanceStatusNotMaintained MaintenanceStatus = "NotMaintained"
+	MaintenanceStatusDeprecated    MaintenanceStatus = "Deprecated"
 )
 
 var maintenance map[string]MaintenanceStatus

apis/externalsecrets/v1/secretstore_types.go

@@ -285,6 +285,7 @@ const (
 	ReasonValidationUnknown     = "ValidationUnknown"
 	ReasonStoreValid            = "Valid"
 	StoreUnmaintained           = "StoreUnmaintained"
+	StoreDeprecated             = "StoreDeprecated"
 )
 
 // SecretStoreStatusCondition contains condition information for a SecretStore.

apis/externalsecrets/v1/secretstore_validator.go

@@ -32,6 +32,7 @@ var _ admission.CustomValidator = &GenericStoreValidator{}
 const (
 	errInvalidStore       = "invalid store"
 	warnStoreUnmaintained = "store %s isn't currently maintained. Please plan and prepare accordingly."
+	warnStoreDeprecated   = "store %s is deprecated and will stop working on the next major version. Please plan and prepare accordingly."
 )
 
 // GenericStoreValidator implements webhook validation for SecretStore and ClusterSecretStore resources.
@@ -69,13 +70,19 @@ func validateStore(store GenericStore) (admission.Warnings, error) {
 	if err != nil {
 		return nil, err
 	}
-	isMaintained, err := GetMaintenanceStatus(store)
+	status, err := GetMaintenanceStatus(store)
 	if err != nil {
 		return nil, err
 	}
 	warns, err := provider.ValidateStore(store)
-	if !isMaintained {
+	switch status {
+	case MaintenanceStatusNotMaintained:
 		warns = append(warns, fmt.Sprintf(warnStoreUnmaintained, store.GetName()))
+	case MaintenanceStatusDeprecated:
+		warns = append(warns, fmt.Sprintf(warnStoreDeprecated, store.GetName()))
+	case MaintenanceStatusMaintained:
+	default:
+		// no warnings
 	}
 	return warns, err
 }

docs/api/spec.md

@@ -7071,7 +7071,7 @@ bool
 </tbody>
 </table>
 <h3 id="external-secrets.io/v1.MaintenanceStatus">MaintenanceStatus
-(<code>bool</code> alias)</p></h3>
+(<code>string</code> alias)</p></h3>
 <p>
 <p>MaintenanceStatus defines a type for different maintenance states of a provider schema.</p>
 </p>
@@ -7082,9 +7082,11 @@ bool
 <th>Description</th>
 </tr>
 </thead>
-<tbody><tr><td><p>true</p></td>
+<tbody><tr><td><p>&#34;Deprecated&#34;</p></td>
+<td></td>
+</tr><tr><td><p>&#34;Maintained&#34;</p></td>
 <td></td>
-</tr><tr><td><p>false</p></td>
+</tr><tr><td><p>&#34;NotMaintained&#34;</p></td>
 <td></td>
 </tr></tbody>
 </table>

docs/introduction/stability-support.md

@@ -71,7 +71,7 @@ The following table describes the stability level of each provider and who's res
 | [Kubernetes](https://external-secrets.io/latest/provider/kubernetes)                                       | beta      | [external-secrets](https://github.com/external-secrets)                                             |
 | [Yandex Lockbox](https://external-secrets.io/latest/provider/yandex-lockbox/)                              | alpha     | [@AndreyZamyslov](https://github.com/AndreyZamyslov) [@knelasevero](https://github.com/knelasevero) |
 | [GitLab Variables](https://external-secrets.io/latest/provider/gitlab-variables/)                          | alpha     | [@Jabray5](https://github.com/Jabray5)                                                              |
-| Alibaba Cloud KMS                                                                                          | alpha     | **UNMAINTAINED**                                                                                    |
+| Alibaba Cloud KMS                                                                                          | alpha     | **DEPRECATED**                                                                                    |
 | [Oracle Vault](https://external-secrets.io/latest/provider/oracle-vault)                                   | alpha     | [@anders-swanson](https://github.com/anders-swanson)                                                                                    |
 | [Akeyless](https://external-secrets.io/latest/provider/akeyless)                                           | stable    | [external-secrets](https://github.com/external-secrets)                                             |
 | [1Password](https://external-secrets.io/latest/provider/1password-automation)                              | alpha     | [@SimSpaceCorp](https://github.com/Simspace) [@snarlysodboxer](https://github.com/snarlysodboxer)   |

docs/provider/alibaba.md

@@ -1,4 +1,10 @@
 
+!!! warning "Provider Deprecated"
+  This provider is deprecated due to lack of maintenance and
+  licensing issues.
+  It will be removed on the next minor release.
+
+
 ## Alibaba Cloud Secrets Manager
 
 External Secrets Operator integrates with [Alibaba Cloud Key Management Service](https://www.alibabacloud.com/help/en/key-management-service/latest/kms-what-is-key-management-service/) for secrets and Keys management.

pkg/controllers/secretstore/common.go

@@ -50,6 +50,7 @@ const (
 
 	msgStoreValidated     = "store validated"
 	msgStoreNotMaintained = "store isn't currently maintained. Please plan and prepare accordingly."
+	msgStoreDeprecated    = "store is deprecated and will be removed on the next minor release. Please plan and prepare accordingly."
 
 	// Finalizer for SecretStores when they have PushSecrets with DeletionPolicy=Delete.
 	secretStoreFinalizer = "secretstore.externalsecrets.io/finalizer"
@@ -125,9 +126,16 @@ func reconcile(ctx context.Context, req ctrl.Request, ss esapi.GenericStore, cl
 	}
 	annotations := ss.GetAnnotations()
 	_, ok := annotations["external-secrets.io/ignore-maintenance-checks"]
-
-	if !bool(isMaintained) && !ok {
-		opts.Recorder.Event(ss, v1.EventTypeWarning, esapi.StoreUnmaintained, msgStoreNotMaintained)
+	if !ok {
+		switch isMaintained {
+		case esapi.MaintenanceStatusNotMaintained:
+			opts.Recorder.Event(ss, v1.EventTypeWarning, esapi.StoreUnmaintained, msgStoreNotMaintained)
+		case esapi.MaintenanceStatusDeprecated:
+			opts.Recorder.Event(ss, v1.EventTypeWarning, esapi.StoreDeprecated, msgStoreDeprecated)
+		case esapi.MaintenanceStatusMaintained:
+		default:
+			// no warnings
+		}
 	}
 
 	capStatus := esapi.SecretStoreStatus{

providers/v1/alibaba/kms.go

@@ -375,5 +375,5 @@ func ProviderSpec() *esv1.SecretStoreProvider {
 
 // MaintenanceStatus returns the maintenance status of the provider.
 func MaintenanceStatus() esv1.MaintenanceStatus {
-	return esv1.MaintenanceStatusNotMaintained
+	return esv1.MaintenanceStatusDeprecated
 }