4 years ago · d27f256ede
--- a/deploy/charts/external-secrets/templates/cert-controller-service.yaml
+++ b/deploy/charts/external-secrets/templates/cert-controller-service.yaml
@@ -1,4 +1,4 @@
 
				-{{- if .Values.certController.prometheus.enabled }}
			
 
				+{{- if and .Values.certController.create .Values.certController.prometheus.enabled }}
			
 
				 apiVersion: v1
			
 
				 kind: Service
			
 
				 metadata:
			
--- a/deploy/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
+++ b/deploy/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
@@ -1,4 +1,4 @@
 
				-{{- if .Values.certController.serviceAccount.create -}}
			
 
				+{{- if and .Values.certController.create .Values.certController.serviceAccount.create -}}
			
 
				 apiVersion: v1
			
 
				 kind: ServiceAccount
			
 
				 metadata:
			
--- a/deploy/charts/external-secrets/templates/validatingwebhook.yaml
+++ b/deploy/charts/external-secrets/templates/validatingwebhook.yaml
@@ -1,3 +1,4 @@
 
				+{{- if .Values.webhook.create }}
			
 
				 apiVersion: admissionregistration.k8s.io/v1
			
 
				 kind: ValidatingWebhookConfiguration
			
 
				 metadata:
			
@@ -39,3 +40,4 @@ webhooks:
 
				   admissionReviewVersions: ["v1", "v1beta1"]
			
 
				   sideEffects: None
			
 
				   timeoutSeconds: 5
			
 
				+{{- end }}
			
--- a/deploy/charts/external-secrets/templates/webhook-secret.yaml
+++ b/deploy/charts/external-secrets/templates/webhook-secret.yaml
@@ -1,3 +1,4 @@
 
				+{{- if .Values.webhook.create }}
			
 
				 apiVersion: v1
			
 
				 kind: Secret
			
 
				 metadata:
			
@@ -6,3 +7,4 @@ metadata:
 
				   labels:
			
 
				     {{- include "external-secrets-webhook.labels" . | nindent 4 }}
			
 
				     external-secrets.io/component : webhook
			
 
				+{{- end }}
			
--- a/deploy/charts/external-secrets/templates/webhook-service.yaml
+++ b/deploy/charts/external-secrets/templates/webhook-service.yaml
@@ -1,3 +1,4 @@
 
				+{{- if .Values.webhook.create }}
			
 
				 apiVersion: v1
			
 
				 kind: Service
			
 
				 metadata:
			
@@ -27,3 +28,4 @@ spec:
 
				   {{- end }}
			
 
				   selector:
			
 
				     {{- include "external-secrets-webhook.selectorLabels" . | nindent 4 }}
			
 
				+{{- end }}
			
--- a/deploy/charts/external-secrets/templates/webhook-serviceaccount.yaml
+++ b/deploy/charts/external-secrets/templates/webhook-serviceaccount.yaml
@@ -1,4 +1,4 @@
 
				-{{- if .Values.webhook.serviceAccount.create -}}
			
 
				+{{- if and .Values.webhook.create .Values.webhook.serviceAccount.create -}}
			
 
				 apiVersion: v1
			
 
				 kind: ServiceAccount
			
 
				 metadata:
			
--- a/e2e/framework/addon/eso.go
+++ b/e2e/framework/addon/eso.go
@@ -93,6 +93,24 @@ func WithNamespaceScope(namespace string) MutationFunc {
 
				 	}
			
 
				 }
			
 
				 
			
 
				+func WithoutWebhook() MutationFunc {
			
 
				+	return func(eso *ESO) {
			
 
				+		eso.HelmChart.Vars = append(eso.HelmChart.Vars, StringTuple{
			
 
				+			Key:   "webhook.create",
			
 
				+			Value: "false",
			
 
				+		})
			
 
				+	}
			
 
				+}
			
 
				+
			
 
				+func WithoutCertController() MutationFunc {
			
 
				+	return func(eso *ESO) {
			
 
				+		eso.HelmChart.Vars = append(eso.HelmChart.Vars, StringTuple{
			
 
				+			Key:   "certController.create",
			
 
				+			Value: "false",
			
 
				+		})
			
 
				+	}
			
 
				+}
			
 
				+
			
 
				 func WithServiceAccount(saName string) MutationFunc {
			
 
				 	return func(eso *ESO) {
			
 
				 		eso.HelmChart.Vars = append(eso.HelmChart.Vars, []StringTuple{
			
--- a/e2e/suite/aws/parameterstore/parameterstore_managed.go
+++ b/e2e/suite/aws/parameterstore/parameterstore_managed.go
@@ -63,6 +63,8 @@ var _ = Describe("[awsmanaged] with mounted IRSA", Label("aws", "parameterstore"
 
				 			addon.WithServiceAccount(prov.ServiceAccountName),
			
 
				 			addon.WithReleaseName(f.Namespace.Name),
			
 
				 			addon.WithNamespace("default"),
			
 
				+			addon.WithoutWebhook(),
			
 
				+			addon.WithoutCertController(),
			
 
				 		))
			
 
				 	})
			
 
				 
			
--- a/e2e/suite/aws/secretsmanager/secretsmanager_managed.go
+++ b/e2e/suite/aws/secretsmanager/secretsmanager_managed.go
@@ -63,6 +63,8 @@ var _ = Describe("[awsmanaged] with mounted IRSA", Label("aws", "secretsmanager"
 
				 			addon.WithServiceAccount(prov.ServiceAccountName),
			
 
				 			addon.WithReleaseName(f.Namespace.Name),
			
 
				 			addon.WithNamespace("default"),
			
 
				+			addon.WithoutWebhook(),
			
 
				+			addon.WithoutCertController(),
			
 
				 		))
			
 
				 	})
			
 
				 
			
--- a/e2e/suite/gcp/gcp_managed.go
+++ b/e2e/suite/gcp/gcp_managed.go
@@ -44,6 +44,8 @@ var _ = Describe("[gcpmanaged] with pod identity", Label("gcp", "secretsmanager"
 
				 			addon.WithServiceAccount(prov.ServiceAccountName),
			
 
				 			addon.WithReleaseName(f.Namespace.Name),
			
 
				 			addon.WithNamespace("default"),
			
 
				+			addon.WithoutWebhook(),
			
 
				+			addon.WithoutCertController(),
			
 
				 		))
			
 
				 	})
			
 
				 
			
@@ -78,6 +80,8 @@ var _ = Describe("[gcpmanaged] with service account", Label("gcp", "secretsmanag
 
				 			addon.WithControllerClass(f.BaseName),
			
 
				 			addon.WithReleaseName(f.Namespace.Name),
			
 
				 			addon.WithNamespace(f.Namespace.Name),
			
 
				+			addon.WithoutWebhook(),
			
 
				+			addon.WithoutCertController(),
			
 
				 		))
			
 
				 	})
			
 
				 
			
--- a/pkg/controllers/secretstore/common.go
+++ b/pkg/controllers/secretstore/common.go
@@ -91,6 +91,7 @@ func validateStore(ctx context.Context, namespace string, store esapi.GenericSto
 
				 		recorder.Event(store, v1.EventTypeWarning, esapi.ReasonInvalidProviderConfig, err.Error())
			
 
				 		return fmt.Errorf(errStoreClient, err)
			
 
				 	}
			
 
				+	defer cl.Close(ctx)
			
 
				 
			
 
				 	err = cl.Validate()
			
 
				 	if err != nil {
			
--- a/pkg/provider/gcp/secretmanager/secretsmanager.go
+++ b/pkg/provider/gcp/secretmanager/secretsmanager.go
@@ -17,6 +17,7 @@ import (
 
				 	"context"
			
 
				 	"encoding/json"
			
 
				 	"fmt"
			
 
				+	"sync"
			
 
				 
			
 
				 	secretmanager "cloud.google.com/go/secretmanager/apiv1"
			
 
				 	"github.com/googleapis/gax-go/v2"
			
@@ -64,6 +65,15 @@ type GoogleSecretManagerClient interface {
 
				 	Close() error
			
 
				 }
			
 
				 
			
 
				+/*
			
 
				+ Currently, GCPSM client has a limitation around how concurrent connections work
			
 
				+ This limitation causes memory leaks due to random disconnects from living clients
			
 
				+ and also payload switches when sending a call (such as using a credential from one
			
 
				+ thread to ask secrets from another thread).
			
 
				+ A Mutex was implemented to make sure only one connection can be in place at a time.
			
 
				+*/
			
 
				+var useMu = sync.Mutex{}
			
 
				+
			
 
				 // ProviderGCP is a provider for GCP Secret Manager.
			
 
				 type ProviderGCP struct {
			
 
				 	projectID           string
			
@@ -144,8 +154,10 @@ func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1beta1.GenericSto
 
				 	}
			
 
				 	storeSpecGCPSM := storeSpec.Provider.GCPSM
			
 
				 
			
 
				+	useMu.Lock()
			
 
				 	wi, err := newWorkloadIdentity(ctx)
			
 
				 	if err != nil {
			
 
				+		useMu.Unlock()
			
 
				 		return nil, fmt.Errorf("unable to initialize workload identity")
			
 
				 	}
			
 
				 
			
@@ -168,17 +180,20 @@ func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1beta1.GenericSto
 
				 
			
 
				 	ts, err := cliStore.getTokenSource(ctx, store, kube, namespace)
			
 
				 	if err != nil {
			
 
				+		useMu.Unlock()
			
 
				 		return nil, fmt.Errorf(errUnableCreateGCPSMClient, err)
			
 
				 	}
			
 
				 
			
 
				 	// check if we can get credentials
			
 
				 	_, err = ts.Token()
			
 
				 	if err != nil {
			
 
				+		useMu.Unlock()
			
 
				 		return nil, fmt.Errorf(errUnableGetCredentials, err)
			
 
				 	}
			
 
				 
			
 
				 	clientGCPSM, err := secretmanager.NewClient(ctx, option.WithTokenSource(ts))
			
 
				 	if err != nil {
			
 
				+		useMu.Unlock()
			
 
				 		return nil, fmt.Errorf(errUnableCreateGCPSMClient, err)
			
 
				 	}
			
 
				 	sm.SecretManagerClient = clientGCPSM
			
@@ -265,6 +280,7 @@ func (sm *ProviderGCP) Close(ctx context.Context) error {
 
				 	if sm.gClient != nil {
			
 
				 		err = sm.gClient.Close()
			
 
				 	}
			
 
				+	useMu.Unlock()
			
 
				 	if err != nil {
			
 
				 		return fmt.Errorf(errClientClose, err)
			
 
				 	}