Merge branch 'main' into VAULT-26529/vds-work-around-scheduled-static…

…-creds-ttl-rollover
hashicorp · May 9, 2024 · d4ae775 · d4ae775
2 parents 5d6bb40 + cd702f4
commit d4ae775
Show file tree

Hide file tree

Showing 30 changed files with 504 additions and 125 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Unreleased
+
+Features:
+* Sync: support argo.Rollout for RolloutRestartTarget: [GH-702](https://github.com/hashicorp/vault-secrets-operator/pull/702)
+
 ## 0.6.0 (April 24th, 2024)
 
 Fix:

diff --git a/Dockerfile b/Dockerfile
@@ -68,7 +68,7 @@ ENTRYPOINT ["/vault-secrets-operator"]
 
 # ubi build image
 # -----------------------------------
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4-949 as build-ubi
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4-949.1714662671 as build-ubi
 RUN microdnf --refresh --assumeyes upgrade ca-certificates
 
 # ubi release image

diff --git a/Makefile b/Makefile
@@ -304,7 +304,7 @@ set-image: kustomize copy-config ## Set the controller image in CONFIG_MANAGER_D
 	cd $(CONFIG_MANAGER_DIR) && $(KUSTOMIZE) edit set image controller=$(IMG)
 
 .PHONY: set-image integration-test
-integration-test: set-image setup-vault ## Run integration tests for Vault OSS
+integration-test: set-image setup-vault ## Run integration tests for Vault Community
 	SUPPRESS_TF_OUTPUT=$(SUPPRESS_TF_OUTPUT) SKIP_CLEANUP=$(SKIP_CLEANUP) OPERATOR_NAMESPACE=$(OPERATOR_NAMESPACE) \
 	OPERATOR_IMAGE_REPO=$(IMAGE_TAG_BASE) OPERATOR_IMAGE_TAG=$(VERSION) \
 	VAULT_OIDC_DISC_URL=$(VAULT_OIDC_DISC_URL) VAULT_OIDC_CA=$(VAULT_OIDC_CA) \
@@ -316,7 +316,7 @@ integration-test: set-image setup-vault ## Run integration tests for Vault OSS
 	go test github.com/hashicorp/vault-secrets-operator/test/integration/... $(TESTARGS) -timeout=30m
 
 .PHONY: integration-test-helm
-integration-test-helm: setup-integration-test ## Run integration tests for Vault OSS
+integration-test-helm: setup-integration-test ## Run integration tests for Vault Community
 	$(MAKE) integration-test TEST_WITH_HELM=true
 
 .PHONY: integration-test-helm-ent
@@ -328,7 +328,7 @@ integration-test-ent: ## Run integration tests for Vault Enterprise
 	$(MAKE) integration-test VAULT_ENTERPRISE=true ENT_TESTS=$(VAULT_ENTERPRISE)
 
 .PHONY: integration-test-both
-integration-test-both: ## Run integration tests against Vault Enterprise and Vault OSS
+integration-test-both: ## Run integration tests against Vault Enterprise and Vault Community
 	$(MAKE) integration-test VAULT_ENTERPRISE=true ENT_TESTS=$(VAULT_ENTERPRISE)
 	$(MAKE) integration-test
 

diff --git a/README.md b/README.md
@@ -132,7 +132,7 @@ make integration-test
 # Create an EKS cluster and a ECR repository
 make -f aws.mk create-eks
 
-# Build the operator image and run the integration tests (includes Vault OSS deployment)
+# Build the operator image and run the integration tests (includes Vault Community deployment)
 make -f aws.mk build-push integration-test-eks
 
 # Run the integration tests (includes Vault ent deployment, have the Vault license as environment variable)
@@ -161,7 +161,7 @@ export GCP_PROJECT="<project_id>"
 # Create an GKE cluster and a GAR repository
 make -f gcp.mk create-gke
 
-# Build & operator image & run the integration tests (includes Vault OSS deployment)
+# Build & operator image & run the integration tests (includes Vault Community deployment)
 make -f gcp.mk build-push integration-test-gke
 
 # Run the integration tests (includes Vault ent deployment, have the Vault license as environment variable)
@@ -182,7 +182,7 @@ export AZURE_TENANT="<tenant_id>"
 # Create an AKS cluster and a ACR repository
 make -f azure.mk create-aks
 
-# Build  the operator image and run the integration tests (includes Vault OSS deployment)
+# Build  the operator image and run the integration tests (includes Vault Community deployment)
 make -f azure.mk build-push integration-test-aks
 
 # Run the integration tests (includes Vault ent deployment, have the Vault license as environment variable)

diff --git a/api/v1beta1/common.go b/api/v1beta1/common.go
@@ -39,10 +39,12 @@ type Destination struct {
 // with a timestamp value of when the trigger was executed.
 // E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z"
 //
-// Supported resources: Deployment, DaemonSet, StatefulSet
+// Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout
 type RolloutRestartTarget struct {
-	// +kubebuilder:validation:Enum={Deployment,DaemonSet,StatefulSet}
+	// Kind of the resource
+	// +kubebuilder:validation:Enum={Deployment,DaemonSet,StatefulSet,argo.Rollout}
 	Kind string `json:"kind"`
+	// Name of the resource
 	Name string `json:"name"`
 }
 

diff --git a/chart/crds/secrets.hashicorp.com_hcpvaultsecretsapps.yaml b/chart/crds/secrets.hashicorp.com_hcpvaultsecretsapps.yaml
@@ -226,15 +226,18 @@ spec:
                     E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z"
 
 
-                    Supported resources: Deployment, DaemonSet, StatefulSet
+                    Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout
                   properties:
                     kind:
+                      description: Kind of the resource
                       enum:
                       - Deployment
                       - DaemonSet
                       - StatefulSet
+                      - argo.Rollout
                       type: string
                     name:
+                      description: Name of the resource
                       type: string
                   required:
                   - kind

diff --git a/chart/crds/secrets.hashicorp.com_vaultdynamicsecrets.yaml b/chart/crds/secrets.hashicorp.com_vaultdynamicsecrets.yaml
@@ -271,15 +271,18 @@ spec:
                     E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z"
 
 
-                    Supported resources: Deployment, DaemonSet, StatefulSet
+                    Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout
                   properties:
                     kind:
+                      description: Kind of the resource
                       enum:
                       - Deployment
                       - DaemonSet
                       - StatefulSet
+                      - argo.Rollout
                       type: string
                     name:
+                      description: Name of the resource
                       type: string
                   required:
                   - kind

diff --git a/chart/crds/secrets.hashicorp.com_vaultpkisecrets.yaml b/chart/crds/secrets.hashicorp.com_vaultpkisecrets.yaml
@@ -288,15 +288,18 @@ spec:
                     E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z"
 
 
-                    Supported resources: Deployment, DaemonSet, StatefulSet
+                    Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout
                   properties:
                     kind:
+                      description: Kind of the resource
                       enum:
                       - Deployment
                       - DaemonSet
                       - StatefulSet
+                      - argo.Rollout
                       type: string
                     name:
+                      description: Name of the resource
                       type: string
                   required:
                   - kind

diff --git a/chart/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml b/chart/crds/secrets.hashicorp.com_vaultstaticsecrets.yaml
@@ -232,15 +232,18 @@ spec:
                     E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z"
 
 
-                    Supported resources: Deployment, DaemonSet, StatefulSet
+                    Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout
                   properties:
                     kind:
+                      description: Kind of the resource
                       enum:
                       - Deployment
                       - DaemonSet
                       - StatefulSet
+                      - argo.Rollout
                       type: string
                     name:
+                      description: Name of the resource
                       type: string
                   required:
                   - kind

diff --git a/chart/templates/manager-rbac.yaml b/chart/templates/manager-rbac.yaml
@@ -74,6 +74,15 @@ rules:
   - list
   - patch
   - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - rollouts
+  verbs:
+  - get
+  - list
+  - patch
+  - watch
 - apiGroups:
   - secrets.hashicorp.com
   resources:

diff --git a/config/crd/bases/secrets.hashicorp.com_hcpvaultsecretsapps.yaml b/config/crd/bases/secrets.hashicorp.com_hcpvaultsecretsapps.yaml
@@ -226,15 +226,18 @@ spec:
                     E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z"
 
 
-                    Supported resources: Deployment, DaemonSet, StatefulSet
+                    Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout
                   properties:
                     kind:
+                      description: Kind of the resource
                       enum:
                       - Deployment
                       - DaemonSet
                       - StatefulSet
+                      - argo.Rollout
                       type: string
                     name:
+                      description: Name of the resource
                       type: string
                   required:
                   - kind

diff --git a/config/crd/bases/secrets.hashicorp.com_vaultdynamicsecrets.yaml b/config/crd/bases/secrets.hashicorp.com_vaultdynamicsecrets.yaml
@@ -271,15 +271,18 @@ spec:
                     E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z"
 
 
-                    Supported resources: Deployment, DaemonSet, StatefulSet
+                    Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout
                   properties:
                     kind:
+                      description: Kind of the resource
                       enum:
                       - Deployment
                       - DaemonSet
                       - StatefulSet
+                      - argo.Rollout
                       type: string
                     name:
+                      description: Name of the resource
                       type: string
                   required:
                   - kind

diff --git a/config/crd/bases/secrets.hashicorp.com_vaultpkisecrets.yaml b/config/crd/bases/secrets.hashicorp.com_vaultpkisecrets.yaml
@@ -288,15 +288,18 @@ spec:
                     E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z"
 
 
-                    Supported resources: Deployment, DaemonSet, StatefulSet
+                    Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout
                   properties:
                     kind:
+                      description: Kind of the resource
                       enum:
                       - Deployment
                       - DaemonSet
                       - StatefulSet
+                      - argo.Rollout
                       type: string
                     name:
+                      description: Name of the resource
                       type: string
                   required:
                   - kind

diff --git a/config/crd/bases/secrets.hashicorp.com_vaultstaticsecrets.yaml b/config/crd/bases/secrets.hashicorp.com_vaultstaticsecrets.yaml
@@ -232,15 +232,18 @@ spec:
                     E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z"
 
 
-                    Supported resources: Deployment, DaemonSet, StatefulSet
+                    Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout
                   properties:
                     kind:
+                      description: Kind of the resource
                       enum:
                       - Deployment
                       - DaemonSet
                       - StatefulSet
+                      - argo.Rollout
                       type: string
                     name:
+                      description: Name of the resource
                       type: string
                   required:
                   - kind

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -79,6 +79,15 @@ rules:
   - list
   - patch
   - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - rollouts
+  verbs:
+  - get
+  - list
+  - patch
+  - watch
 - apiGroups:
   - secrets.hashicorp.com
   resources:

diff --git a/controllers/hcpvaultsecretsapp_controller.go b/controllers/hcpvaultsecretsapp_controller.go
@@ -60,6 +60,13 @@ type HCPVaultSecretsAppReconciler struct {
 //+kubebuilder:rbac:groups=secrets.hashicorp.com,resources=hcpvaultsecretsapps/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=secrets.hashicorp.com,resources=hcpvaultsecretsapps/finalizers,verbs=update
 //+kubebuilder:rbac:groups="",resources=events,verbs=create;patch
+//
+// required for rollout-restart
+//+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;patch
+//+kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;patch
+//+kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;patch
+//+kubebuilder:rbac:groups=argoproj.io,resources=rollouts,verbs=get;list;watch;patch
+//
 
 // Reconcile a secretsv1beta1.HCPVaultSecretsApp Custom Resource instance. Each
 // invocation will ensure that the configured HCP Vault Secrets Application data

diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go
@@ -82,6 +82,7 @@ type VaultDynamicSecretReconciler struct {
 //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;patch
 //+kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;patch
 //+kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;patch
+//+kubebuilder:rbac:groups=argoproj.io,resources=rollouts,verbs=get;list;watch;patch
 //
 // needed for managing cached Clients, duplicated in vaultconnection_controller.go
 //+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;delete;update;patch

diff --git a/controllers/vaultpkisecret_controller.go b/controllers/vaultpkisecret_controller.go
@@ -56,6 +56,7 @@ type VaultPKISecretReconciler struct {
 //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;patch
 //+kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;patch
 //+kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;patch
+//+kubebuilder:rbac:groups=argoproj.io,resources=rollouts,verbs=get;list;watch;patch
 //
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to

diff --git a/controllers/vaultstaticsecret_controller.go b/controllers/vaultstaticsecret_controller.go
@@ -50,6 +50,7 @@ type VaultStaticSecretReconciler struct {
 //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;patch
 //+kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;patch
 //+kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;patch
+//+kubebuilder:rbac:groups=argoproj.io,resources=rollouts,verbs=get;list;watch;patch
 //
 
 func (r *VaultStaticSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {

diff --git a/docs/api/api-reference.md b/docs/api/api-reference.md
@@ -201,7 +201,7 @@ with a timestamp value of when the trigger was executed.
 E.g. vso.secrets.hashicorp.com/restartedAt: "2023-03-23T13:39:31Z"
 
 
-Supported resources: Deployment, DaemonSet, StatefulSet
+Supported resources: Deployment, DaemonSet, StatefulSet, argo.Rollout
 
 
 
@@ -213,8 +213,8 @@ _Appears in:_
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `kind` _string_ |  |  | Enum: [Deployment DaemonSet StatefulSet] <br /> |
-| `name` _string_ |  |  |  |
+| `kind` _string_ | Kind of the resource |  | Enum: [Deployment DaemonSet StatefulSet argo.Rollout] <br /> |
+| `name` _string_ | Name of the resource |  |  |
 
 
 #### SecretTransformation