root.go 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426
  1. /*
  2. Copyright © 2025 ESO Maintainer Team
  3. Licensed under the Apache License, Version 2.0 (the "License");
  4. you may not use this file except in compliance with the License.
  5. You may obtain a copy of the License at
  6. https://www.apache.org/licenses/LICENSE-2.0
  7. Unless required by applicable law or agreed to in writing, software
  8. distributed under the License is distributed on an "AS IS" BASIS,
  9. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  10. See the License for the specific language governing permissions and
  11. limitations under the License.
  12. */
  13. package controller
  14. import (
  15. "crypto/tls"
  16. "os"
  17. "time"
  18. "github.com/spf13/cobra"
  19. v1 "k8s.io/api/core/v1"
  20. apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
  21. "k8s.io/apimachinery/pkg/runtime"
  22. utilruntime "k8s.io/apimachinery/pkg/util/runtime"
  23. clientgoscheme "k8s.io/client-go/kubernetes/scheme"
  24. ctrl "sigs.k8s.io/controller-runtime"
  25. "sigs.k8s.io/controller-runtime/pkg/cache"
  26. "sigs.k8s.io/controller-runtime/pkg/client"
  27. "sigs.k8s.io/controller-runtime/pkg/controller"
  28. "sigs.k8s.io/controller-runtime/pkg/healthz"
  29. "sigs.k8s.io/controller-runtime/pkg/metrics/server"
  30. "sigs.k8s.io/controller-runtime/pkg/webhook"
  31. esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
  32. esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
  33. genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
  34. awsv2 "github.com/external-secrets/external-secrets/apis/provider/aws/v2alpha1"
  35. fakev2alpha1 "github.com/external-secrets/external-secrets/apis/provider/fake/v2alpha1"
  36. k8sv2alpha1 "github.com/external-secrets/external-secrets/apis/provider/kubernetes/v2alpha1"
  37. "github.com/external-secrets/external-secrets/pkg/controllers/clusterexternalsecret"
  38. "github.com/external-secrets/external-secrets/pkg/controllers/clusterexternalsecret/cesmetrics"
  39. "github.com/external-secrets/external-secrets/pkg/controllers/clusterprovider"
  40. "github.com/external-secrets/external-secrets/pkg/controllers/clusterpushsecret"
  41. "github.com/external-secrets/external-secrets/pkg/controllers/clusterpushsecret/cpsmetrics"
  42. ctrlcommon "github.com/external-secrets/external-secrets/pkg/controllers/common"
  43. "github.com/external-secrets/external-secrets/pkg/controllers/externalsecret"
  44. "github.com/external-secrets/external-secrets/pkg/controllers/externalsecret/esmetrics"
  45. "github.com/external-secrets/external-secrets/pkg/controllers/generatorstate"
  46. ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
  47. "github.com/external-secrets/external-secrets/pkg/controllers/provider"
  48. "github.com/external-secrets/external-secrets/pkg/controllers/pushsecret"
  49. "github.com/external-secrets/external-secrets/pkg/controllers/pushsecret/psmetrics"
  50. "github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
  51. "github.com/external-secrets/external-secrets/pkg/controllers/secretstore/cssmetrics"
  52. "github.com/external-secrets/external-secrets/pkg/controllers/secretstore/ssmetrics"
  53. "github.com/external-secrets/external-secrets/runtime/feature"
  54. // To allow using gcp auth.
  55. _ "k8s.io/client-go/plugin/pkg/client/auth"
  56. )
  57. var (
  58. scheme = runtime.NewScheme()
  59. setupLog = ctrl.Log.WithName("setup")
  60. dnsName string
  61. certDir string
  62. liveAddr string
  63. metricsAddr string
  64. metricsSecure bool
  65. metricsCertDir string
  66. metricsCertName string
  67. metricsKeyName string
  68. healthzAddr string
  69. controllerClass string
  70. enableLeaderElection bool
  71. enableSecretsCache bool
  72. enableConfigMapsCache bool
  73. enableManagedSecretsCache bool
  74. enablePartialCache bool
  75. concurrent int
  76. port int
  77. clientQPS float32
  78. clientBurst int
  79. loglevel string
  80. zapTimeEncoding string
  81. namespace string
  82. enableClusterStoreReconciler bool
  83. enableSecretStoreReconciler bool
  84. enableClusterExternalSecretReconciler bool
  85. enableClusterPushSecretReconciler bool
  86. enablePushSecretReconciler bool
  87. enableFloodGate bool
  88. enableGeneratorState bool
  89. enableExtendedMetricLabels bool
  90. storeRequeueInterval time.Duration
  91. serviceName, serviceNamespace string
  92. secretName, secretNamespace string
  93. crdNames []string
  94. crdRequeueInterval time.Duration
  95. certCheckInterval time.Duration
  96. certLookaheadInterval time.Duration
  97. tlsCiphers string
  98. tlsMinVersion string
  99. enableHTTP2 bool
  100. allowGenericTargets bool
  101. providerNamespace string
  102. providerServiceNames []string
  103. )
  104. const (
  105. errCreateController = "unable to create controller"
  106. )
  107. func init() {
  108. // kubernetes schemes
  109. utilruntime.Must(clientgoscheme.AddToScheme(scheme))
  110. utilruntime.Must(apiextensionsv1.AddToScheme(scheme))
  111. // external-secrets schemes
  112. utilruntime.Must(esv1.AddToScheme(scheme))
  113. utilruntime.Must(esv1alpha1.AddToScheme(scheme))
  114. utilruntime.Must(genv1alpha1.AddToScheme(scheme))
  115. // v2 provider schemes
  116. utilruntime.Must(awsv2.AddToScheme(scheme))
  117. utilruntime.Must(fakev2alpha1.AddToScheme(scheme))
  118. utilruntime.Must(k8sv2alpha1.AddToScheme(scheme))
  119. }
  120. var rootCmd = &cobra.Command{
  121. Use: "external-secrets",
  122. Short: "operator that reconciles ExternalSecrets and SecretStores",
  123. Long: `For more information visit https://external-secrets.io`,
  124. Run: func(cmd *cobra.Command, _ []string) {
  125. setupLogger()
  126. ctrlmetrics.SetUpLabelNames(enableExtendedMetricLabels)
  127. esmetrics.SetUpMetrics()
  128. config := ctrl.GetConfigOrDie()
  129. config.QPS = clientQPS
  130. config.Burst = clientBurst
  131. // the client creates a ListWatch for resources that are requested with .Get() or .List()
  132. // some users might want to completely disable caching of Secrets and ConfigMaps
  133. // to decrease memory usage at the expense of high Kubernetes API usage
  134. // see: https://github.com/external-secrets/external-secrets/issues/721
  135. clientCacheDisableFor := make([]client.Object, 0)
  136. if !enableSecretsCache {
  137. // dont cache any secrets
  138. clientCacheDisableFor = append(clientCacheDisableFor, &v1.Secret{})
  139. }
  140. if !enableConfigMapsCache {
  141. // dont cache any configmaps
  142. clientCacheDisableFor = append(clientCacheDisableFor, &v1.ConfigMap{})
  143. }
  144. metricsOpts := server.Options{
  145. BindAddress: metricsAddr,
  146. }
  147. if metricsSecure {
  148. metricsOpts.SecureServing = true
  149. metricsOpts.CertDir = metricsCertDir
  150. metricsOpts.CertName = metricsCertName
  151. metricsOpts.KeyName = metricsKeyName
  152. }
  153. // Disable HTTP/2 if not explicitly enabled
  154. if !enableHTTP2 {
  155. metricsOpts.TLSOpts = []func(*tls.Config){disableHTTP2}
  156. }
  157. mgrOpts := ctrl.Options{
  158. Scheme: scheme,
  159. Metrics: metricsOpts,
  160. HealthProbeBindAddress: liveAddr,
  161. WebhookServer: webhook.NewServer(webhook.Options{
  162. Port: 9443,
  163. }),
  164. Client: client.Options{
  165. Cache: &client.CacheOptions{
  166. DisableFor: clientCacheDisableFor,
  167. },
  168. },
  169. LeaderElection: enableLeaderElection,
  170. LeaderElectionID: "external-secrets-controller",
  171. }
  172. if namespace != "" {
  173. mgrOpts.Cache.DefaultNamespaces = map[string]cache.Config{
  174. namespace: {},
  175. }
  176. }
  177. mgr, err := ctrl.NewManager(config, mgrOpts)
  178. if err != nil {
  179. setupLog.Error(err, "unable to start manager")
  180. os.Exit(1)
  181. }
  182. // we create a special client for accessing secrets in the ExternalSecret reconcile loop.
  183. // by default, it is the same as the normal client, but if `--enable-managed-secrets-caching`
  184. // is set, we use a special client that only caches secrets managed by an ExternalSecret.
  185. // if we are already caching all secrets, we don't need to use the special client.
  186. secretClient := mgr.GetClient()
  187. if enableManagedSecretsCache && !enableSecretsCache {
  188. secretClient, err = ctrlcommon.BuildManagedSecretClient(mgr, namespace)
  189. if err != nil {
  190. setupLog.Error(err, "unable to create managed secret client")
  191. os.Exit(1)
  192. }
  193. }
  194. if enableSecretStoreReconciler {
  195. ssmetrics.SetUpMetrics()
  196. if err = (&secretstore.StoreReconciler{
  197. Client: mgr.GetClient(),
  198. Log: ctrl.Log.WithName("controllers").WithName("SecretStore"),
  199. Scheme: mgr.GetScheme(),
  200. ControllerClass: controllerClass,
  201. RequeueInterval: storeRequeueInterval,
  202. PushSecretEnabled: enablePushSecretReconciler,
  203. }).SetupWithManager(mgr, controller.Options{
  204. MaxConcurrentReconciles: concurrent,
  205. RateLimiter: ctrlcommon.BuildRateLimiter(),
  206. }); err != nil {
  207. setupLog.Error(err, errCreateController, "controller", "SecretStore")
  208. os.Exit(1)
  209. }
  210. }
  211. if enableClusterStoreReconciler {
  212. cssmetrics.SetUpMetrics()
  213. if err = (&secretstore.ClusterStoreReconciler{
  214. Client: mgr.GetClient(),
  215. Log: ctrl.Log.WithName("controllers").WithName("ClusterSecretStore"),
  216. Scheme: mgr.GetScheme(),
  217. ControllerClass: controllerClass,
  218. RequeueInterval: storeRequeueInterval,
  219. PushSecretEnabled: enablePushSecretReconciler,
  220. }).SetupWithManager(mgr, controller.Options{
  221. MaxConcurrentReconciles: concurrent,
  222. RateLimiter: ctrlcommon.BuildRateLimiter(),
  223. }); err != nil {
  224. setupLog.Error(err, errCreateController, "controller", "ClusterSecretStore")
  225. os.Exit(1)
  226. }
  227. }
  228. provider.SetUpMetrics()
  229. if err = (&provider.Reconciler{
  230. Client: mgr.GetClient(),
  231. Log: ctrl.Log.WithName("controllers").WithName("Provider"),
  232. Scheme: mgr.GetScheme(),
  233. RequeueInterval: storeRequeueInterval,
  234. }).SetupWithManager(mgr, controller.Options{
  235. MaxConcurrentReconciles: concurrent,
  236. RateLimiter: ctrlcommon.BuildRateLimiter(),
  237. }); err != nil {
  238. setupLog.Error(err, errCreateController, "controller", "Provider")
  239. os.Exit(1)
  240. }
  241. clusterprovider.SetUpMetrics()
  242. if err = (&clusterprovider.Reconciler{
  243. Client: mgr.GetClient(),
  244. Log: ctrl.Log.WithName("controllers").WithName("ClusterProvider"),
  245. Scheme: mgr.GetScheme(),
  246. RequeueInterval: storeRequeueInterval,
  247. }).SetupWithManager(mgr, controller.Options{
  248. MaxConcurrentReconciles: concurrent,
  249. RateLimiter: ctrlcommon.BuildRateLimiter(),
  250. }); err != nil {
  251. setupLog.Error(err, errCreateController, "controller", "ClusterProvider")
  252. os.Exit(1)
  253. }
  254. if err = (&generatorstate.Reconciler{
  255. Client: mgr.GetClient(),
  256. Log: ctrl.Log.WithName("controllers").WithName("GeneratorState"),
  257. Scheme: mgr.GetScheme(),
  258. RestConfig: mgr.GetConfig(),
  259. }).SetupWithManager(mgr, controller.Options{
  260. MaxConcurrentReconciles: concurrent,
  261. RateLimiter: ctrlcommon.BuildRateLimiter(),
  262. }); err != nil {
  263. setupLog.Error(err, errCreateController, "controller", "GeneratorState")
  264. os.Exit(1)
  265. }
  266. if err = (&externalsecret.Reconciler{
  267. Client: mgr.GetClient(),
  268. SecretClient: secretClient,
  269. Log: ctrl.Log.WithName("controllers").WithName("ExternalSecret"),
  270. Scheme: mgr.GetScheme(),
  271. RestConfig: mgr.GetConfig(),
  272. ControllerClass: controllerClass,
  273. RequeueInterval: time.Hour,
  274. ClusterSecretStoreEnabled: enableClusterStoreReconciler,
  275. EnableFloodGate: enableFloodGate,
  276. EnableGeneratorState: enableGeneratorState,
  277. AllowGenericTargets: allowGenericTargets,
  278. }).SetupWithManager(cmd.Context(), mgr, controller.Options{
  279. MaxConcurrentReconciles: concurrent,
  280. RateLimiter: ctrlcommon.BuildRateLimiter(),
  281. }); err != nil {
  282. setupLog.Error(err, errCreateController, "controller", "ExternalSecret")
  283. os.Exit(1)
  284. }
  285. if enablePushSecretReconciler {
  286. psmetrics.SetUpMetrics()
  287. if err = (&pushsecret.Reconciler{
  288. Client: mgr.GetClient(),
  289. Log: ctrl.Log.WithName("controllers").WithName("PushSecret"),
  290. Scheme: mgr.GetScheme(),
  291. ControllerClass: controllerClass,
  292. RestConfig: mgr.GetConfig(),
  293. RequeueInterval: time.Hour,
  294. }).SetupWithManager(cmd.Context(), mgr, controller.Options{
  295. MaxConcurrentReconciles: concurrent,
  296. RateLimiter: ctrlcommon.BuildRateLimiter(),
  297. }); err != nil {
  298. setupLog.Error(err, errCreateController, "controller", "PushSecret")
  299. os.Exit(1)
  300. }
  301. }
  302. if enableClusterExternalSecretReconciler {
  303. cesmetrics.SetUpMetrics()
  304. if err = (&clusterexternalsecret.Reconciler{
  305. Client: mgr.GetClient(),
  306. Log: ctrl.Log.WithName("controllers").WithName("ClusterExternalSecret"),
  307. Scheme: mgr.GetScheme(),
  308. RequeueInterval: time.Hour,
  309. }).SetupWithManager(mgr, controller.Options{
  310. MaxConcurrentReconciles: concurrent,
  311. RateLimiter: ctrlcommon.BuildRateLimiter(),
  312. }); err != nil {
  313. setupLog.Error(err, errCreateController, "controller", "ClusterExternalSecret")
  314. os.Exit(1)
  315. }
  316. }
  317. if enableClusterPushSecretReconciler {
  318. cpsmetrics.SetUpMetrics()
  319. if err = (&clusterpushsecret.Reconciler{
  320. Client: mgr.GetClient(),
  321. Log: ctrl.Log.WithName("controllers").WithName("ClusterPushSecret"),
  322. Scheme: mgr.GetScheme(),
  323. RequeueInterval: time.Hour,
  324. Recorder: mgr.GetEventRecorderFor("external-secrets-controller"),
  325. }).SetupWithManager(mgr, controller.Options{
  326. MaxConcurrentReconciles: concurrent,
  327. }); err != nil {
  328. setupLog.Error(err, errCreateController, "controller", "ClusterPushSecret")
  329. os.Exit(1)
  330. }
  331. }
  332. if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
  333. setupLog.Error(err, "unable to add controller healthz check")
  334. os.Exit(1)
  335. }
  336. fs := feature.Features()
  337. for _, f := range fs {
  338. if f.Initialize == nil {
  339. continue
  340. }
  341. f.Initialize()
  342. }
  343. setupLog.Info("starting manager")
  344. if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
  345. setupLog.Error(err, "problem running manager")
  346. os.Exit(1)
  347. }
  348. },
  349. }
  350. // Execute starts the command execution process.
  351. func Execute() {
  352. cobra.CheckErr(rootCmd.Execute())
  353. }
  354. func init() {
  355. rootCmd.Flags().StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
  356. rootCmd.Flags().BoolVar(&metricsSecure, "metrics-secure", false, "Enable HTTPS for the metrics endpoint.")
  357. rootCmd.Flags().StringVar(&metricsCertDir, "metrics-cert-dir", "", "Directory containing TLS certificate and key for metrics endpoint.")
  358. rootCmd.Flags().StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "TLS certificate filename for metrics endpoint.")
  359. rootCmd.Flags().StringVar(&metricsKeyName, "metrics-key-name", "tls.key", "TLS key filename for metrics endpoint.")
  360. rootCmd.Flags().StringVar(&controllerClass, "controller-class", "default", "The controller is instantiated with a specific controller name and filters ES based on this property")
  361. rootCmd.Flags().BoolVar(&enableLeaderElection, "enable-leader-election", false,
  362. "Enable leader election for controller manager. "+
  363. "Enabling this will ensure there is only one active controller manager.")
  364. rootCmd.Flags().IntVar(&concurrent, "concurrent", 1, "The number of concurrent reconciles.")
  365. rootCmd.Flags().Float32Var(&clientQPS, "client-qps", 50, "QPS configuration to be passed to rest.Client")
  366. rootCmd.Flags().IntVar(&clientBurst, "client-burst", 100, "Maximum Burst allowed to be passed to rest.Client")
  367. rootCmd.Flags().StringVar(&liveAddr, "live-addr", ":8082", "The address the live endpoint binds to.")
  368. rootCmd.Flags().StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal")
  369. rootCmd.Flags().StringVar(&zapTimeEncoding, "zap-time-encoding", "epoch", "Zap time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano')")
  370. rootCmd.Flags().
  371. StringVar(&namespace, "namespace", "", "watch external secrets scoped in the provided namespace only. ClusterSecretStore can be used but only work if it doesn't reference resources from other namespaces")
  372. rootCmd.Flags().BoolVar(&enableClusterStoreReconciler, "enable-cluster-store-reconciler", true, "Enable cluster store reconciler.")
  373. rootCmd.Flags().BoolVar(&enableSecretStoreReconciler, "enable-secret-store-reconciler", true, "Enable secret store reconciler.")
  374. rootCmd.Flags().BoolVar(&enableClusterExternalSecretReconciler, "enable-cluster-external-secret-reconciler", true, "Enable cluster external secret reconciler.")
  375. rootCmd.Flags().BoolVar(&enableClusterPushSecretReconciler, "enable-cluster-push-secret-reconciler", true, "Enable cluster push secret reconciler.")
  376. rootCmd.Flags().BoolVar(&enablePushSecretReconciler, "enable-push-secret-reconciler", true, "Enable push secret reconciler.")
  377. rootCmd.Flags().BoolVar(&enableSecretsCache, "enable-secrets-caching", false, "Enable secrets caching for ALL secrets in the cluster (WARNING: can increase memory usage).")
  378. rootCmd.Flags().BoolVar(&enableConfigMapsCache, "enable-configmaps-caching", false, "Enable configmaps caching for ALL configmaps in the cluster (WARNING: can increase memory usage).")
  379. rootCmd.Flags().BoolVar(&enableManagedSecretsCache, "enable-managed-secrets-caching", true, "Enable secrets caching for secrets managed by an ExternalSecret")
  380. rootCmd.Flags().DurationVar(&storeRequeueInterval, "store-requeue-interval", time.Minute*5, "Default Time duration between reconciling (Cluster)SecretStores")
  381. rootCmd.Flags().BoolVar(&enableFloodGate, "enable-flood-gate", true, "Enable flood gate. External secret will be reconciled only if the ClusterStore or Store have an healthy or unknown state.")
  382. rootCmd.Flags().BoolVar(&enableGeneratorState, "enable-generator-state", true, "Whether the Controller should manage GeneratorState")
  383. rootCmd.Flags().BoolVar(&enableExtendedMetricLabels, "enable-extended-metric-labels", false, "Enable recommended kubernetes annotations as labels in metrics.")
  384. rootCmd.Flags().BoolVar(&enableHTTP2, "enable-http2", false,
  385. "If set, HTTP/2 will be enabled for the metrics server")
  386. rootCmd.Flags().
  387. BoolVar(&allowGenericTargets, "unsafe-allow-generic-targets", false, "Enable support for creating generic resources (ConfigMaps, Custom Resources). WARNING: Using generic resources, please sure all policies are correctly configured.")
  388. fs := feature.Features()
  389. for _, f := range fs {
  390. rootCmd.Flags().AddFlagSet(f.Flags)
  391. }
  392. }
  393. // disableHTTP2 is a TLS configuration function that disables HTTP/2.
  394. func disableHTTP2(cfg *tls.Config) {
  395. cfg.NextProtos = []string{"http/1.1"}
  396. }