Merge pull request #16 from mcavoyk/feat/cluster-store

Add ClusterSecretStore resource

Dockerfile

@@ -11,8 +11,8 @@ RUN go mod download
 
 # Copy the go source
 COPY main.go main.go
-COPY api/ api/
-COPY controllers/ controllers/
+COPY apis/ apis/
+COPY pkg/ pkg/
 
 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go

PROJECT

@@ -1,4 +1,5 @@
 domain: io
+multigroup: true
 repo: github.com/external-secrets/external-secrets
 resources:
 - group: external-secrets

api/v1alpha1/groupversion_info.go

@@ -1,42 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package v1alpha1 contains API Schema definitions for the external-secrets v1alpha1 API group
-// +kubebuilder:object:generate=true
-// +groupName=external-secrets.io
-package v1alpha1
-
-import (
-	"reflect"
-
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"sigs.k8s.io/controller-runtime/pkg/scheme"
-)
-
-var (
-	// GroupVersion is group version used to register these objects.
-	GroupVersion = schema.GroupVersion{Group: "external-secrets.io", Version: "v1alpha1"}
-
-	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
-	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
-
-	// AddToScheme adds the types in this group-version to the given scheme.
-	AddToScheme = SchemeBuilder.AddToScheme
-)
-
-// SecretStore type metadata.
-var (
-	SecretStoreKind           = reflect.TypeOf(SecretStore{}).Name()
-	SecretStoreKindAPIVersion = SecretStoreKind + "." + GroupVersion.String()
-)

apis/doc.go

@@ -0,0 +1,18 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+//
+// +domain=external-secrets.io
+
+package apis

apis/externalsecrets/doc.go

@@ -0,0 +1,17 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +groupName=external-secrets.io
+
+package externalsecrets

api/v1alpha1/meta_types.go

@@ -12,13 +12,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package v1alpha1 contains resources for external-secrets
+// +kubebuilder:object:generate=true
+// +groupName=external-secrets.io
+// +versionName=v1alpha1
 package v1alpha1
-
-// Refers to a Secret in Kubernetes.
-type SecretKeySelector struct {
-	Name string `json:"name"`
-	Key  string `json:"key"`
-
-	// +optional
-	Namespace *string `json:"namespace,omitempty"`
-}

api/v1alpha1/externalsecret_types.go

@@ -174,7 +174,7 @@ type ExternalSecretStatus struct {
 
 // +kubebuilder:object:root=true
 
-// ExternalSecret is the Schema for the externalsecrets API.
+// ExternalSecret is the Schema for the external-secrets API.
 type ExternalSecret struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -185,13 +185,9 @@ type ExternalSecret struct {
 
 // +kubebuilder:object:root=true
 
-// ExternalSecretList contains a list of ExternalSecret.
+// ExternalSecretList contains a list of ExternalSecret resources.
 type ExternalSecretList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
 	Items           []ExternalSecret `json:"items"`
 }
-
-func init() {
-	SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{})
-}

api/v1alpha1/generic_store.go

@@ -29,19 +29,39 @@ import (
 type GenericStore interface {
 	runtime.Object
 	metav1.Object
-	GetProvider() *SecretStoreProvider
+
+	GetObjectMeta() *metav1.ObjectMeta
+	GetSpec() *SecretStoreSpec
 }
 
 // +kubebuilder:object:root:false
 // +kubebuilder:object:generate:false
 var _ GenericStore = &SecretStore{}
 
-// GetProvider returns the underlying provider.
-func (c *SecretStore) GetProvider() *SecretStoreProvider {
-	return c.Spec.Provider
+func (c *SecretStore) GetObjectMeta() *metav1.ObjectMeta {
+	return &c.ObjectMeta
+}
+
+func (c *SecretStore) GetSpec() *SecretStoreSpec {
+	return &c.Spec
 }
 
-// Copy returns a DeepCopy of the Store.
 func (c *SecretStore) Copy() GenericStore {
 	return c.DeepCopy()
 }
+
+// +kubebuilder:object:root:false
+// +kubebuilder:object:generate:false
+var _ GenericStore = &ClusterSecretStore{}
+
+func (c *ClusterSecretStore) GetObjectMeta() *metav1.ObjectMeta {
+	return &c.ObjectMeta
+}
+
+func (c *ClusterSecretStore) GetSpec() *SecretStoreSpec {
+	return &c.Spec
+}
+
+func (c *ClusterSecretStore) Copy() GenericStore {
+	return c.DeepCopy()
+}

apis/externalsecrets/v1alpha1/register.go

@@ -0,0 +1,67 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+// Package type metadata.
+const (
+	Group   = "external-secrets.io"
+	Version = "v1alpha1"
+)
+
+var (
+	// SchemeGroupVersion is group version used to register these objects.
+	SchemeGroupVersion = schema.GroupVersion{Group: Group, Version: Version}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// ExternalSecret type metadata.
+var (
+	ExtSecretKind             = reflect.TypeOf(ExternalSecret{}).Name()
+	ExtSecretGroupKind        = schema.GroupKind{Group: Group, Kind: ExtSecretKind}.String()
+	ExtSecretKindAPIVersion   = ExtSecretKind + "." + SchemeGroupVersion.String()
+	ExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ExtSecretKind)
+)
+
+// SecretStore type metadata.
+var (
+	SecretStoreKind             = reflect.TypeOf(SecretStore{}).Name()
+	SecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: SecretStoreKind}.String()
+	SecretStoreKindAPIVersion   = SecretStoreKind + "." + SchemeGroupVersion.String()
+	SecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(SecretStoreKind)
+)
+
+// ClusterSecretStore type metadata.
+var (
+	ClusterSecretStoreKind             = reflect.TypeOf(ClusterSecretStore{}).Name()
+	ClusterSecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterSecretStoreKind}.String()
+	ClusterSecretStoreKindAPIVersion   = ClusterSecretStoreKind + "." + SchemeGroupVersion.String()
+	ClusterSecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(ClusterSecretStoreKind)
+)
+
+func init() {
+	SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{})
+	SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{})
+	SchemeBuilder.Register(&ClusterSecretStore{}, &ClusterSecretStoreList{})
+}

api/v1alpha1/secretstore_awssm_types.go

@@ -14,6 +14,10 @@ limitations under the License.
 
 package v1alpha1
 
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
 type AWSSMAuth struct {
 	SecretRef AWSSMAuthSecretRef `json:"secretRef"`
 }
@@ -21,11 +25,11 @@ type AWSSMAuth struct {
 type AWSSMAuthSecretRef struct {
 	// The AccessKeyID is used for authentication
 	// +optional
-	AccessKeyID SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
+	AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
 
 	// The SecretAccessKey is used for authentication
 	// +optional
-	SecretAccessKey SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
+	SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
 }
 
 // Configures a store to sync secrets using the AWS Secret Manager provider.

api/v1alpha1/secretstore_types.go

@@ -88,7 +88,10 @@ type SecretStoreStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretStore is the Schema for the secretstores API.
+// SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Namespaced,categories={externalsecrets},shortName=ss
 type SecretStore struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -99,13 +102,31 @@ type SecretStore struct {
 
 // +kubebuilder:object:root=true
 
-// SecretStoreList contains a list of SecretStore.
+// SecretStoreList contains a list of SecretStore resources.
 type SecretStoreList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
 	Items           []SecretStore `json:"items"`
 }
 
-func init() {
-	SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{})
+// +kubebuilder:object:root=true
+
+// ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster,categories={externalsecrets},shortName=css
+type ClusterSecretStore struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec SecretStoreSpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ClusterSecretStoreList contains a list of ClusterSecretStore resources.
+type ClusterSecretStoreList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterSecretStore `json:"items"`
 }

api/v1alpha1/zz_generated.deepcopy.go

@@ -72,6 +72,64 @@ func (in *AWSSMProvider) DeepCopy() *AWSSMProvider {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterSecretStore) DeepCopyInto(out *ClusterSecretStore) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStore.
+func (in *ClusterSecretStore) DeepCopy() *ClusterSecretStore {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterSecretStore)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterSecretStore) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterSecretStoreList) DeepCopyInto(out *ClusterSecretStoreList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterSecretStore, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStoreList.
+func (in *ClusterSecretStoreList) DeepCopy() *ClusterSecretStoreList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterSecretStoreList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterSecretStoreList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExternalSecret) DeepCopyInto(out *ExternalSecret) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
@@ -288,26 +346,6 @@ func (in *ExternalSecretTemplateMetadata) DeepCopy() *ExternalSecretTemplateMeta
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) {
-	*out = *in
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector.
-func (in *SecretKeySelector) DeepCopy() *SecretKeySelector {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretKeySelector)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretStore) DeepCopyInto(out *SecretStore) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta

apis/meta/doc.go

@@ -0,0 +1,16 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package meta contains meta types for external-secret APIs.
+package meta

apis/meta/v1/doc.go

@@ -0,0 +1,17 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package meta contains meta types for external-secrets APIs
+// +kubebuilder:object:generate=true
+package v1

apis/meta/v1/types.go

@@ -0,0 +1,30 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// A reference to a specific 'key' within a Secret resource,
+// In some instances, `key` is a required field.
+type SecretKeySelector struct {
+	// The name of the Secret resource being referred to.
+	Name string `json:"name"`
+	// Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+	// to the namespace of the referent.
+	// +optional
+	Namespace *string `json:"namespace,omitempty"`
+	// The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+	// defaulted, in others it may be required.
+	// +optional
+	Key string `json:"key,omitempty"`
+}

apis/meta/v1/zz_generated.deepcopy.go

@@ -0,0 +1,41 @@
+// +build !ignore_autogenerated
+
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1
+
+import ()
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) {
+	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector.
+func (in *SecretKeySelector) DeepCopy() *SecretKeySelector {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretKeySelector)
+	in.DeepCopyInto(out)
+	return out
+}

config/crd/bases/external-secrets.io_clustersecretstores.yaml

@@ -0,0 +1,140 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.1
+  creationTimestamp: null
+  name: clustersecretstores.external-secrets.io
+spec:
+  group: external-secrets.io
+  names:
+    categories:
+    - externalsecrets
+    kind: ClusterSecretStore
+    listKind: ClusterSecretStoreList
+    plural: clustersecretstores
+    shortNames:
+    - css
+    singular: clustersecretstore
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: AGE
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ClusterSecretStore represents a secure external location for
+          storing secrets, which can be referenced as part of `storeRef` fields.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: SecretStoreSpec defines the desired state of SecretStore.
+            properties:
+              controller:
+                description: 'Used to select the correct KES controller (think: ingress.ingressClassName)
+                  The KES controller is instantiated with a specific controller name
+                  and filters ES based on this property'
+                type: string
+              provider:
+                description: Used to configure the provider. Only one provider may
+                  be set
+                maxProperties: 1
+                minProperties: 1
+                properties:
+                  awssm:
+                    description: AWSSM configures this store to sync secrets using
+                      AWS Secret Manager provider
+                    properties:
+                      auth:
+                        description: Auth defines the information necessary to authenticate
+                          against AWS
+                        properties:
+                          secretRef:
+                            properties:
+                              accessKeyIDSecretRef:
+                                description: The AccessKeyID is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                              secretAccessKeySecretRef:
+                                description: The SecretAccessKey is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            type: object
+                        required:
+                        - secretRef
+                        type: object
+                      region:
+                        description: AWS Region to be used for the provider
+                        type: string
+                      role:
+                        description: Role is a Role ARN which the SecretManager provider
+                          will assume
+                        type: string
+                    required:
+                    - auth
+                    - region
+                    type: object
+                type: object
+            required:
+            - provider
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/bases/external-secrets.io_externalsecrets.yaml

@@ -17,7 +17,7 @@ spec:
   - name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: ExternalSecret is the Schema for the externalsecrets API.
+        description: ExternalSecret is the Schema for the external-secrets API.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation

config/crd/bases/external-secrets.io_secretstores.yaml

@@ -8,16 +8,25 @@ metadata:
 spec:
   group: external-secrets.io
   names:
+    categories:
+    - externalsecrets
     kind: SecretStore
     listKind: SecretStoreList
     plural: secretstores
+    shortNames:
+    - ss
     singular: secretstore
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: AGE
+      type: date
+    name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretStore is the Schema for the secretstores API.
+        description: SecretStore represents a secure external location for storing
+          secrets, which can be referenced as part of `storeRef` fields.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -59,26 +68,44 @@ spec:
                                 description: The AccessKeyID is used for authentication
                                 properties:
                                   key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
                                     type: string
                                   name:
+                                    description: The name of the Secret resource being
+                                      referred to.
                                     type: string
                                   namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
                                     type: string
                                 required:
-                                - key
                                 - name
                                 type: object
                               secretAccessKeySecretRef:
                                 description: The SecretAccessKey is used for authentication
                                 properties:
                                   key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
                                     type: string
                                   name:
+                                    description: The name of the Secret resource being
+                                      referred to.
                                     type: string
                                   namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
                                     type: string
                                 required:
-                                - key
                                 - name
                                 type: object
                             type: object
@@ -128,6 +155,8 @@ spec:
         type: object
     served: true
     storage: true
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""

main.go

@@ -25,8 +25,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
 	// +kubebuilder:scaffold:imports
-	externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1"
-	"github.com/external-secrets/external-secrets/controllers"
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret"
+	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
 )
 
 var (
@@ -37,7 +38,7 @@ var (
 func init() {
 	_ = clientgoscheme.AddToScheme(scheme)
 
-	_ = externalsecretsv1alpha1.AddToScheme(scheme)
+	_ = esv1alpha1.AddToScheme(scheme)
 	// +kubebuilder:scaffold:scheme
 }
 
@@ -64,7 +65,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	if err = (&controllers.SecretStoreReconciler{
+	if err = (&secretstore.Reconciler{
 		Client: mgr.GetClient(),
 		Log:    ctrl.Log.WithName("controllers").WithName("SecretStore"),
 		Scheme: mgr.GetScheme(),
@@ -72,7 +73,7 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "SecretStore")
 		os.Exit(1)
 	}
-	if err = (&controllers.ExternalSecretReconciler{
+	if err = (&externalsecret.Reconciler{
 		Client: mgr.GetClient(),
 		Log:    ctrl.Log.WithName("controllers").WithName("ExternalSecret"),
 		Scheme: mgr.GetScheme(),

controllers/externalsecret_controller.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package controllers
+package externalsecret
 
 import (
 	"context"
@@ -22,11 +22,11 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1"
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 )
 
-// ExternalSecretReconciler reconciles a ExternalSecret object.
-type ExternalSecretReconciler struct {
+// Reconciler reconciles a ExternalSecret object.
+type Reconciler struct {
 	client.Client
 	Log    logr.Logger
 	Scheme *runtime.Scheme
@@ -35,7 +35,7 @@ type ExternalSecretReconciler struct {
 // +kubebuilder:rbac:groups=external-secrets.io,resources=externalsecrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=external-secrets.io,resources=externalsecrets/status,verbs=get;update;patch
 
-func (r *ExternalSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+func (r *Reconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	_ = context.Background()
 	_ = r.Log.WithValues("externalsecret", req.NamespacedName)
 
@@ -44,8 +44,8 @@ func (r *ExternalSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, err
 	return ctrl.Result{}, nil
 }
 
-func (r *ExternalSecretReconciler) SetupWithManager(mgr ctrl.Manager) error {
+func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&externalsecretsv1alpha1.ExternalSecret{}).
+		For(&esv1alpha1.ExternalSecret{}).
 		Complete(r)
 }

pkg/controllers/externalsecret/suite_test.go

@@ -0,0 +1,81 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package externalsecret
+
+import (
+	"path/filepath"
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+	"sigs.k8s.io/controller-runtime/pkg/envtest/printer"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+)
+
+// These tests use Ginkgo (BDD-style Go testing framework). Refer to
+// http://onsi.github.io/ginkgo/ to learn more about Ginkgo.
+
+var cfg *rest.Config
+var k8sClient client.Client
+var testEnv *envtest.Environment
+
+func TestAPIs(t *testing.T) {
+	RegisterFailHandler(Fail)
+
+	RunSpecsWithDefaultAndCustomReporters(t,
+		"Controller Suite",
+		[]Reporter{printer.NewlineReporter{}})
+}
+
+var _ = BeforeSuite(func(done Done) {
+	logf.SetLogger(zap.LoggerTo(GinkgoWriter, true))
+
+	By("bootstrapping test environment")
+	testEnv = &envtest.Environment{
+		CRDDirectoryPaths: []string{filepath.Join("..", "config", "crd", "bases")},
+	}
+
+	var err error
+	cfg, err = testEnv.Start()
+	Expect(err).ToNot(HaveOccurred())
+	Expect(cfg).ToNot(BeNil())
+
+	err = esv1alpha1.AddToScheme(scheme.Scheme)
+	Expect(err).NotTo(HaveOccurred())
+
+	err = esv1alpha1.AddToScheme(scheme.Scheme)
+	Expect(err).NotTo(HaveOccurred())
+
+	// +kubebuilder:scaffold:scheme
+
+	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme})
+	Expect(err).ToNot(HaveOccurred())
+	Expect(k8sClient).ToNot(BeNil())
+
+	close(done)
+}, 60)
+
+var _ = AfterSuite(func() {
+	By("tearing down the test environment")
+	err := testEnv.Stop()
+	Expect(err).ToNot(HaveOccurred())
+})

controllers/secretstore_controller.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package controllers
+package secretstore
 
 import (
 	"context"
@@ -22,11 +22,11 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1"
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 )
 
-// SecretStoreReconciler reconciles a SecretStore object.
-type SecretStoreReconciler struct {
+// Reconciler reconciles a SecretStore object.
+type Reconciler struct {
 	client.Client
 	Log    logr.Logger
 	Scheme *runtime.Scheme
@@ -35,7 +35,7 @@ type SecretStoreReconciler struct {
 // +kubebuilder:rbac:groups=external-secrets.io,resources=secretstores,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=external-secrets.io,resources=secretstores/status,verbs=get;update;patch
 
-func (r *SecretStoreReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+func (r *Reconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	_ = context.Background()
 	_ = r.Log.WithValues("secretstore", req.NamespacedName)
 
@@ -44,8 +44,8 @@ func (r *SecretStoreReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error)
 	return ctrl.Result{}, nil
 }
 
-func (r *SecretStoreReconciler) SetupWithManager(mgr ctrl.Manager) error {
+func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&externalsecretsv1alpha1.SecretStore{}).
+		For(&esv1alpha1.SecretStore{}).
 		Complete(r)
 }

controllers/suite_test.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package controllers
+package secretstore
 
 import (
 	"path/filepath"
@@ -28,7 +28,7 @@ import (
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
-	externalsecretsv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1"
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 )
 
 // These tests use Ginkgo (BDD-style Go testing framework). Refer to
@@ -59,10 +59,10 @@ var _ = BeforeSuite(func(done Done) {
 	Expect(err).ToNot(HaveOccurred())
 	Expect(cfg).ToNot(BeNil())
 
-	err = externalsecretsv1alpha1.AddToScheme(scheme.Scheme)
+	err = esv1alpha1.AddToScheme(scheme.Scheme)
 	Expect(err).NotTo(HaveOccurred())
 
-	err = externalsecretsv1alpha1.AddToScheme(scheme.Scheme)
+	err = esv1alpha1.AddToScheme(scheme.Scheme)
 	Expect(err).NotTo(HaveOccurred())
 
 	// +kubebuilder:scaffold:scheme

pkg/provider/aws/secretsmanager/secretsmanager.go

@@ -18,7 +18,7 @@ import (
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1"
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
 )

pkg/provider/fake/fake.go

@@ -19,7 +19,7 @@ import (
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1"
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
 )

pkg/provider/provider.go

@@ -19,7 +19,7 @@ import (
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1"
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 )
 
 // Provider is a common interface for interacting with secret backends.

pkg/provider/schema/schema.go

@@ -19,7 +19,7 @@ import (
 	"fmt"
 	"sync"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1"
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 )
 
@@ -71,8 +71,8 @@ func GetProviderByName(name string) (provider.Provider, bool) {
 
 // GetProvider returns the provider from the generic store.
 func GetProvider(s esv1alpha1.GenericStore) (provider.Provider, error) {
-	provider := s.GetProvider()
-	storeName, err := getProviderName(provider)
+	spec := s.GetSpec()
+	storeName, err := getProviderName(spec.Provider)
 	if err != nil {
 		return nil, fmt.Errorf("store error for %s: %w", s.GetName(), err)
 	}

pkg/provider/schema/schema_test.go

@@ -20,7 +20,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/api/v1alpha1"
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 )
 
@@ -44,11 +44,23 @@ func (p *PP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretData
 func TestRegister(t *testing.T) {
 	p, ok := GetProviderByName("awssm")
 	assert.Nil(t, p)
-	assert.False(t, ok)
-	ForceRegister(&PP{}, &esv1alpha1.SecretStoreProvider{
-		AWSSM: &esv1alpha1.AWSSMProvider{},
-	})
-	p, ok = GetProviderByName("awssm")
-	assert.NotNil(t, p)
-	assert.True(t, ok)
+	assert.False(t, ok, "provider should not be registered")
+
+	testProvider := &PP{}
+	secretStore := &esv1alpha1.SecretStore{
+		Spec: esv1alpha1.SecretStoreSpec{
+			Provider: &esv1alpha1.SecretStoreProvider{
+				AWSSM: &esv1alpha1.AWSSMProvider{},
+			},
+		},
+	}
+
+	ForceRegister(testProvider, secretStore.Spec.Provider)
+	p1, ok := GetProviderByName("awssm")
+	assert.True(t, ok, "provider should be registered")
+	assert.Equal(t, testProvider, p1)
+
+	p2, err := GetProvider(secretStore)
+	assert.Nil(t, err)
+	assert.Equal(t, testProvider, p2)
 }