feat!: drop helm v2 and builtin CRD management

Signed-off-by: Markus Maga <[email protected]>

.github/workflows/workflow.yml

@@ -40,18 +40,6 @@ jobs:
   test-e2e:
     runs-on: ubuntu-latest
     name: E2E
-    strategy:
-      matrix:
-        disableCustomResourceManager: ["true", "false"]
-        helmVersion: ["V2", "V3"]
     steps:
       - uses: actions/checkout@v2
-      - uses: azure/setup-helm@v1
-        with:
-          version: v2.17.0
-        if: matrix.helmVersion == 'V2'
-      - name: configure helm v2
-        run: |
-          helm init --client-only
-        if: matrix.helmVersion == 'V2'
-      - run: ./e2e/run-e2e-suite.sh ${{ matrix.disableCustomResourceManager }} ${{ matrix.helmVersion }}
+      - run: ./e2e/run-e2e-suite.sh

bin/daemon.js

@@ -17,7 +17,6 @@ const PollerFactory = require('../lib/poller-factory')
 const {
   backends,
   kubeClient,
-  customResourceManager,
   customResourceManifest,
   logger,
   metricsPort,
@@ -34,7 +33,8 @@ async function main () {
   logger.info('loading kube specs')
   await kubeClient.loadSpec()
   logger.info('successfully loaded kube specs')
-  await customResourceManager.manageCrd({ customResourceManifest })
+
+  kubeClient.addCustomResourceDefinition(customResourceManifest)
 
   const externalSecretEvents = getExternalSecretEvents({
     kubeClient,

charts/kubernetes-external-secrets/README.md

@@ -22,7 +22,7 @@ See below for [Helm V2 considerations](#helm-v2-considerations) when installing
 To install the chart with the release named `my-release`:
 
 ```bash
-$ helm install my-release external-secrets/kubernetes-external-secrets --skip-crds
+$ helm install my-release external-secrets/kubernetes-external-secrets
 ```
 
 > **Tip:** A namespace can be specified by the `Helm` option '`--namespace kube-external-secrets`', however know this will not [autocreate a namespace](https://helm.sh/docs/faq/#automatically-creating-namespaces) like in Helm V2. To do that, also add the `--create-namespace` flag.
@@ -35,28 +35,6 @@ To install the chart with [AWS IAM Roles for Service Accounts](https://docs.aws.
 $ helm install my-release external-secrets/kubernetes-external-secrets --skip-crds --set securityContext.fsGroup=65534 --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"='arn:aws:iam::111111111111:role/ROLENAME'
 ```
 
-### Installing the CRD
-
-To install the `ExternalSecret` CRD via the chart and disable the custom resource manager, you can omit `--skip-crds` and set `customResourceManagerDisabled`:
-
-```bash
-$ helm install external-secrets/kubernetes-external-secrets --name my-release --set customResourceManagerDisabled=true
-```
-
-### Helm V2 Considerations
-
-For Helm V2, `--skip-crds` is not needed, but `--name` is in order to set the release name:
-
-```bash
-$ helm install external-secrets/kubernetes-external-secrets --name my-release
-```
-
-If you wish to disable the custom resource manager and install the CRD via Helm V2, then `crds.create` must also be set:
-
-```bash
-$ helm install external-secrets/kubernetes-external-secrets --name my-release --set customResourceManagerDisabled=true --set crds.create=true
-```
-
 ## Uninstalling the Chart
 
 To uninstall/delete the deployment:
@@ -72,7 +50,6 @@ The following table lists the configurable parameters of the `kubernetes-externa
 | Parameter                                 | Description                                                                                                                       | Default                               |
 | ----------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
 | `crds.create`                             | For Helm V2 installations of the chart to install the CRD, for V3 installations use `--skip-crds` appropriately                   | `false`                               |
-| `customResourceManagerDisabled`           | Disables the custom resource manager, requiring the CRD be installed via the chart or other means                                 | `false`                               |
 | `env.AWS_REGION`                          | Set AWS_REGION in Deployment Pod                                                                                                  | `us-west-2`                           |
 | `env.AWS_INTERMEDIATE_ROLE_ARN`           | Specifies a role to be assumed before assuming role arn specified in external secrets                                             |                                       |
 | `env.LOG_LEVEL`                           | Set the application log level                                                                                                     | `info`                                |
@@ -122,7 +99,6 @@ Specify each parameter using the `--set key=value[,key=value]` argument to `helm
 
 ```bash
 helm install my-release external-secrets/kubernetes-external-secrets \
---set customResourceManagerDisabled=true
 --set env.POLLER_INTERVAL_MILLISECONDS='300000' \
 --set podAnnotations."iam\.amazonaws\.com/role"='Name-Of-IAM-Role-With-SecretManager-Access'
 ```

charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml

@@ -4,8 +4,6 @@ kind: CustomResourceDefinition
 metadata:
   name: externalsecrets.kubernetes-client.io
   annotations:
-    # for helm v2 backwards compatibility
-    helm.sh/hook: crd-install
     # used in e2e testing
     app.kubernetes.io/managed-by: helm
 spec:

charts/kubernetes-external-secrets/templates/deployment.yaml

@@ -45,10 +45,6 @@ spec:
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           env:
-          {{- if .Values.customResourceManagerDisabled }}
-          - name: DISABLE_CUSTOM_RESOURCE_MANAGER
-            value: "true"
-          {{- end }}
           {{- range $name, $value := .Values.env }}
           {{- if not (empty $value) }}
           - name: {{ $name | quote }}

charts/kubernetes-external-secrets/templates/rbac.yaml

@@ -29,11 +29,6 @@ rules:
   - apiGroups: ["kubernetes-client.io"]
     resources: ["externalsecrets/status"]
     verbs: ["get", "update"]
- {{- if .Values.customResourceManagerDisabled | not }}
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["create"]
-  {{- end }}
   {{- if .Values.customClusterRoles }}
   {{- toYaml .Values.customClusterRoles | nindent 2 }}
   {{- end }}

charts/kubernetes-external-secrets/values.yaml

@@ -2,23 +2,15 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
-# Determines whether the Helm chart or kubernetes-external-secrets
-# will handle the ExternalSecret CRD
-customResourceManagerDisabled: false
-
-crds:
-  # only needed for helm v2, leave this disabled for helm v3
-  create: false
-
 # Environment variables to set on deployment pod
 env:
   AWS_REGION: us-west-2
   AWS_DEFAULT_REGION: us-west-2
-  POLLER_INTERVAL_MILLISECONDS: 10000  # Caution, setting this frequency may incur additional charges on some platforms
+  POLLER_INTERVAL_MILLISECONDS: 10000 # Caution, setting this frequency may incur additional charges on some platforms
   WATCH_TIMEOUT: 60000
-  WATCHED_NAMESPACES: '' # Comma separated list of namespaces, empty or unset means ALL namespaces.
+  WATCHED_NAMESPACES: "" # Comma separated list of namespaces, empty or unset means ALL namespaces.
   LOG_LEVEL: info
-  LOG_MESSAGE_KEY: 'msg'
+  LOG_MESSAGE_KEY: "msg"
   # Print logs level as string ("info") rather than integer (30)
   # USE_HUMAN_READABLE_LOG_LEVELS: true
   METRICS_PORT: 3001
@@ -103,7 +95,8 @@ securityContext:
   # Required for use of IRSA, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
   # fsGroup: 65534
 
-resources: {}
+resources:
+  {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following

config/environment.js

@@ -38,7 +38,6 @@ const enforceNamespaceAnnotation = 'ENFORCE_NAMESPACE_ANNOTATIONS' in process.en
 
 const metricsPort = process.env.METRICS_PORT || 3001
 
-const customResourceManagerDisabled = 'DISABLE_CUSTOM_RESOURCE_MANAGER' in process.env
 const watchTimeout = process.env.WATCH_TIMEOUT ? parseInt(process.env.WATCH_TIMEOUT) : 60000
 
 // A comma-separated list of watched namespaces. If set, only ExternalSecrets in those namespaces will be handled.
@@ -66,7 +65,6 @@ module.exports = {
   enforceNamespaceAnnotation,
   pollingDisabled,
   logLevel,
-  customResourceManagerDisabled,
   useHumanReadableLogLevels,
   logMessageKey,
   watchTimeout,

config/index.js

@@ -13,7 +13,6 @@ const azureConfig = require('./azure-config')
 const alicloudConfig = require('./alicloud-config')
 const gcpConfig = require('./gcp-config')
 const envConfig = require('./environment')
-const CustomResourceManager = require('../lib/custom-resource-manager')
 const SecretsManagerBackend = require('../lib/backends/secrets-manager-backend')
 const SystemManagerBackend = require('../lib/backends/system-manager-backend')
 const VaultBackend = require('../lib/backends/vault-backend')
@@ -24,7 +23,6 @@ const AliCloudSecretsManagerBackend = require('../lib/backends/alicloud-secrets-
 // Get document, or throw exception on error
 // eslint-disable-next-line security/detect-non-literal-fs-filename
 const customResourceManifest = yaml.safeLoad(fs.readFileSync(path.resolve(__dirname, '../charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml'), 'utf8'))
-customResourceManifest.metadata.annotations['app.kubernetes.io/managed-by'] = 'custom-resource-manager'
 
 const kubeconfig = new kube.KubeConfig()
 kubeconfig.loadFromDefault()
@@ -45,12 +43,6 @@ const logger = pino({
   nestedKey: 'payload'
 })
 
-const customResourceManager = new CustomResourceManager({
-  kubeClient,
-  logger,
-  disabled: envConfig.customResourceManagerDisabled
-})
-
 const secretsManagerBackend = new SecretsManagerBackend({
   clientFactory: awsConfig.secretsManagerFactory,
   assumeRole: awsConfig.assumeRole,
@@ -121,7 +113,6 @@ backends.secretManager = secretsManagerBackend
 module.exports = {
   awsConfig,
   backends,
-  customResourceManager,
   customResourceManifest,
   ...envConfig,
   kubeClient,

e2e/run-e2e-suite.sh

@@ -14,9 +14,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-DISABLE_CUSTOM_RESOURCE_MANAGER=${1:-true}
-HELM_VERSION=${2:-V3}
-
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 KIND_LOGGING=""
 if ! [ -z "$DEBUG" ]; then
@@ -72,25 +69,9 @@ kubectl apply -f ${DIR}/localstack.deployment.yaml
 
 CHART_DIR="$(dirname "$DIR")/charts/kubernetes-external-secrets"
 HELM_TEMPLATE_ARGS="e2e ${CHART_DIR}"
-HELM_TEMPLATE_EXTRA_ARGS="--include-crds --set customResourceManagerDisabled=true"
-E2E_EXTRA_ARGS="--env=DISABLE_CUSTOM_RESOURCE_MANAGER=true"
-if [[ "$HELM_VERSION" == "V3" ]]; then
-  if [[ "$DISABLE_CUSTOM_RESOURCE_MANAGER" == "false" ]]; then
-    HELM_TEMPLATE_EXTRA_ARGS="--skip-crds"
-    E2E_EXTRA_ARGS=""
-  fi
-else
-  HELM_TEMPLATE_ARGS="${CHART_DIR} --name e2e"
-  if [[ "$DISABLE_CUSTOM_RESOURCE_MANAGER" == "true" ]]; then
-    HELM_TEMPLATE_EXTRA_ARGS="--set crds.create=true --set customResourceManagerDisabled=true"
-  else
-    HELM_TEMPLATE_EXTRA_ARGS=""
-    E2E_EXTRA_ARGS=""
-  fi
-fi
 
 helm template ${HELM_TEMPLATE_ARGS} \
-  ${HELM_TEMPLATE_EXTRA_ARGS} \
+  --include-crds \
   --set image.repository=external-secrets \
   --set image.tag=test \
   --set env.LOG_LEVEL=debug \
@@ -132,7 +113,6 @@ kubectl run \
   --env="AWS_DEFAULT_REGION=us-east-1" \
   --env="AWS_REGION=us-east-1" \
   --env="LOCALSTACK_STS_URL=http://sts" \
-  ${E2E_EXTRA_ARGS} \
   --generator=run-pod/v1 \
   --overrides='{ "apiVersion": "v1", "spec":{"serviceAccountName": "external-secrets-e2e"}}' \
   e2e --image=external-secrets-e2e:test

e2e/tests/crd.test.js

@@ -5,8 +5,7 @@ const { expect } = require('chai')
 
 const {
   kubeClient,
-  customResourceManifest,
-  customResourceManagerDisabled
+  customResourceManifest
 } = require('../../config')
 
 const {
@@ -21,11 +20,7 @@ describe('CRD', () => {
       .customresourcedefinitions(customResourceManifest.metadata.name)
       .get()
 
-    let managedBy = 'custom-resource-manager'
-    if (customResourceManagerDisabled) {
-      managedBy = 'helm'
-    }
-
+    const managedBy = 'helm'
     expect(res).to.not.equal(undefined)
     expect(res.statusCode).to.equal(200)
     expect(res.body.metadata.annotations['app.kubernetes.io/managed-by']).to.equal(managedBy)