feat: add cluster store

apis/externalsecrets/v1alpha1/generic_store.go

@@ -29,19 +29,39 @@ import (
 type GenericStore interface {
 	runtime.Object
 	metav1.Object
-	GetProvider() *SecretStoreProvider
+
+	GetObjectMeta() *metav1.ObjectMeta
+	GetSpec() *SecretStoreSpec
 }
 
 // +kubebuilder:object:root:false
 // +kubebuilder:object:generate:false
 var _ GenericStore = &SecretStore{}
 
-// GetProvider returns the underlying provider.
-func (c *SecretStore) GetProvider() *SecretStoreProvider {
-	return c.Spec.Provider
+func (c *SecretStore) GetObjectMeta() *metav1.ObjectMeta {
+	return &c.ObjectMeta
+}
+
+func (c *SecretStore) GetSpec() *SecretStoreSpec {
+	return &c.Spec
 }
 
-// Copy returns a DeepCopy of the Store.
 func (c *SecretStore) Copy() GenericStore {
 	return c.DeepCopy()
 }
+
+// +kubebuilder:object:root:false
+// +kubebuilder:object:generate:false
+var _ GenericStore = &ClusterSecretStore{}
+
+func (c *ClusterSecretStore) GetObjectMeta() *metav1.ObjectMeta {
+	return &c.ObjectMeta
+}
+
+func (c *ClusterSecretStore) GetSpec() *SecretStoreSpec {
+	return &c.Spec
+}
+
+func (c *ClusterSecretStore) Copy() GenericStore {
+	return c.DeepCopy()
+}

apis/externalsecrets/v1alpha1/register.go

@@ -52,7 +52,16 @@ var (
 	SecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(SecretStoreKind)
 )
 
+// ClusterSecretStore type metadata.
+var (
+	ClusterSecretStoreKind             = reflect.TypeOf(ClusterSecretStore{}).Name()
+	ClusterSecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterSecretStoreKind}.String()
+	ClusterSecretStoreKindAPIVersion   = ClusterSecretStoreKind + "." + SchemeGroupVersion.String()
+	ClusterSecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(ClusterSecretStoreKind)
+)
+
 func init() {
 	SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{})
 	SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{})
+	SchemeBuilder.Register(&ClusterSecretStore{}, &ClusterSecretStoreList{})
 }

apis/externalsecrets/v1alpha1/secretstore_types.go

@@ -88,7 +88,10 @@ type SecretStoreStatus struct {
 
 // +kubebuilder:object:root=true
 
-// SecretStore is the Schema for the secretstores API.
+// SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Namespaced,categories={externalsecrets},shortName=ss
 type SecretStore struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -105,3 +108,25 @@ type SecretStoreList struct {
 	metav1.ListMeta `json:"metadata,omitempty"`
 	Items           []SecretStore `json:"items"`
 }
+
+// +kubebuilder:object:root=true
+
+// ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster,categories={externalsecrets},shortName=css
+type ClusterSecretStore struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec SecretStoreSpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ClusterSecretStoreList contains a list of ClusterSecretStore.
+type ClusterSecretStoreList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ExternalSecret `json:"items"`
+}

apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go

@@ -72,6 +72,64 @@ func (in *AWSSMProvider) DeepCopy() *AWSSMProvider {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterSecretStore) DeepCopyInto(out *ClusterSecretStore) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStore.
+func (in *ClusterSecretStore) DeepCopy() *ClusterSecretStore {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterSecretStore)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterSecretStore) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterSecretStoreList) DeepCopyInto(out *ClusterSecretStoreList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ExternalSecret, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStoreList.
+func (in *ClusterSecretStoreList) DeepCopy() *ClusterSecretStoreList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterSecretStoreList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterSecretStoreList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExternalSecret) DeepCopyInto(out *ExternalSecret) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta

config/crd/bases/external-secrets.io_clustersecretstores.yaml

@@ -0,0 +1,142 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.1
+  creationTimestamp: null
+  name: clustersecretstores.external-secrets.io
+spec:
+  group: external-secrets.io
+  names:
+    categories:
+    - externalsecrets
+    kind: ClusterSecretStore
+    listKind: ClusterSecretStoreList
+    plural: clustersecretstores
+    shortNames:
+    - css
+    singular: clustersecretstore
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: AGE
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ClusterSecretStore represents a secure external location for
+          storing secrets, which can be referenced as part of `storeRef` fields.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: SecretStoreSpec defines the desired state of SecretStore.
+            properties:
+              controller:
+                description: 'Used to select the correct KES controller (think: ingress.ingressClassName)
+                  The KES controller is instantiated with a specific controller name
+                  and filters ES based on this property'
+                type: string
+              provider:
+                description: Used to configure the provider. Only one provider may
+                  be set
+                maxProperties: 1
+                minProperties: 1
+                properties:
+                  awssm:
+                    description: AWSSM configures this store to sync secrets using
+                      AWS Secret Manager provider
+                    properties:
+                      auth:
+                        description: Auth defines the information necessary to authenticate
+                          against AWS
+                        properties:
+                          secretRef:
+                            properties:
+                              accessKeyIDSecretRef:
+                                description: The AccessKeyID is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: 'Name of the resource being referred
+                                      to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                              secretAccessKeySecretRef:
+                                description: The SecretAccessKey is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: 'Name of the resource being referred
+                                      to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            type: object
+                        required:
+                        - secretRef
+                        type: object
+                      region:
+                        description: AWS Region to be used for the provider
+                        type: string
+                      role:
+                        description: Role is a Role ARN which the SecretManager provider
+                          will assume
+                        type: string
+                    required:
+                    - auth
+                    - region
+                    type: object
+                type: object
+            required:
+            - provider
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/bases/external-secrets.io_secretstores.yaml

@@ -10,16 +10,25 @@ metadata:
 spec:
   group: external-secrets.io
   names:
+    categories:
+    - externalsecrets
     kind: SecretStore
     listKind: SecretStoreList
     plural: secretstores
+    shortNames:
+    - ss
     singular: secretstore
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: AGE
+      type: date
+    name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SecretStore is the Schema for the secretstores API.
+        description: SecretStore represents a secure external location for storing
+          secrets, which can be referenced as part of `storeRef` fields.
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
@@ -148,6 +157,8 @@ spec:
         type: object
     served: true
     storage: true
+    subresources:
+      status: {}
 status:
   acceptedNames:
     kind: ""

pkg/provider/schema/schema.go

@@ -71,8 +71,8 @@ func GetProviderByName(name string) (provider.Provider, bool) {
 
 // GetProvider returns the provider from the generic store.
 func GetProvider(s esv1alpha1.GenericStore) (provider.Provider, error) {
-	provider := s.GetProvider()
-	storeName, err := getProviderName(provider)
+	spec := s.GetSpec()
+	storeName, err := getProviderName(spec.Provider)
 	if err != nil {
 		return nil, fmt.Errorf("store error for %s: %w", s.GetName(), err)
 	}