Merge remote-tracking branch 'origin/main' into VAULT-27904/add-vault…

…-client-callback-vss
hashicorp · Jul 23, 2024 · 9be9fa8 · 9be9fa8
2 parents e0d8ddf + ec467b0
commit 9be9fa8
Show file tree

Hide file tree

Showing 36 changed files with 751 additions and 198 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -343,9 +343,9 @@ jobs:
     outputs:
       # JSON encoded array of k8s versions
       K8S_VERSIONS: '["1.30.0", "1.29.4", "1.28.9", "1.27.13", "1.26.15"]'
-      VAULT_N: "1.16.3"
-      VAULT_N_1: "1.15.9"
-      VAULT_N_2: "1.14.13"
+      VAULT_N: "1.17.2"
+      VAULT_N_1: "1.16.6"
+      VAULT_N_2: "1.15.12"
   latest-vault:
     name: vault:${{ matrix.vault-version }} kind:${{ matrix.k8s-version }} ${{ matrix.installation-method }} enterprise=${{ matrix.vault-enterprise }}
     needs:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,59 @@
+## 0.8.0 (July 18th, 2024)
+**Important**
+
+* Helm: CRD schema changes are now automatically applied at upgrade time.
+
+  *See [updating-crds](https://developer.hashicorp.com/vault/docs/platform/k8s/vso/installation#updating-crds-when-using-helm) for more details.*
+
+* This release contains CRD schema changes which remove the field validation on most VaultAuth spec fields. That means invalid VaultAuth
+  configurations will no longer be handled at resource application time. Please review the VSO logs and K8s
+  events when troubleshooting Vault authentication issues.
+
+Features:
+* Helm: add support for auto upgrading CRDs: [GH-789](https://github.com/hashicorp/vault-secrets-operator/pull/789)
+* VaultStaticSecret: support [instant event-driven updates](https://developer.hashicorp.com/vault/docs/platform/k8s/vso/sources/vault#instant-updates): [GH-771](https://github.com/hashicorp/vault-secrets-operator/pull/771)
+* Add new [VaultAuthGlobal](https://developer.hashicorp.com/vault/docs/platform/k8s/vso/sources/vault#vaultauthglobal-custom-resource) type for shared VaultAuth configurations: 
+ [GH-735](https://github.com/hashicorp/vault-secrets-operator/pull/735)
+ [GH-800](https://github.com/hashicorp/vault-secrets-operator/pull/800)
+ [GH-847](https://github.com/hashicorp/vault-secrets-operator/pull/847)
+ [GH-855](https://github.com/hashicorp/vault-secrets-operator/pull/855)
+ [GH-850](https://github.com/hashicorp/vault-secrets-operator/pull/850)
+* CachingClientFactory: support client taints to trigger Vault client token validation: 
+  [GH-717](https://github.com/hashicorp/vault-secrets-operator/pull/717)
+  [GH-769](https://github.com/hashicorp/vault-secrets-operator/pull/769)
+
+Improvements:
+* VPS: add ca.crt from issuing CA for tls secret type: [GH-848](https://github.com/hashicorp/vault-secrets-operator/pull/848)
+* Helm: support setting VaultAuthGlobalRef on VaultAuth: [GH-851](https://github.com/hashicorp/vault-secrets-operator/pull/851)
+* Migrate to k8s.io/utils/ptr: [GH-856](https://github.com/hashicorp/vault-secrets-operator/pull/856)
+* Core: update backoff option docs: [GH-801](https://github.com/hashicorp/vault-secrets-operator/pull/801)
+
+Fix:
+* VaultAuth: set valid status on VaultAuthGlobal deref error: [GH-854](https://github.com/hashicorp/vault-secrets-operator/pull/854)
+* VDS: properly handle the clone cache key variant during client callback execution: [GH-835](https://github.com/hashicorp/vault-secrets-operator/pull/835)
+* Core: delete resource status metrics upon object deletion: [GH-815](https://github.com/hashicorp/vault-secrets-operator/pull/815)
+* VSS: use a constant backoff on some reconciliation errors: [GH-811](https://github.com/hashicorp/vault-secrets-operator/pull/811)
+* VDS: work around Vault DB static creds TTL rollover bug: [GH-730](https://github.com/hashicorp/vault-secrets-operator/pull/730)
+
+Build:
+* CI: bump Vault versions: [GH-797](https://github.com/hashicorp/vault-secrets-operator/pull/797)
+
+Dependency Updates:
+* Bump cloud.google.com/go/compute/metadata from 0.4.0 to 0.5.0: [GH-853](https://github.com/hashicorp/vault-secrets-operator/pull/853)
+* Bump github.com/gruntwork-io/terratest from 0.46.16 to 0.47.0: [GH-852](https://github.com/hashicorp/vault-secrets-operator/pull/852)
+* Bump github.com/hashicorp/go-getter from 1.7.4 to 1.7.5: [GH-834](https://github.com/hashicorp/vault-secrets-operator/pull/834)
+* Bump github.com/hashicorp/go-retryablehttp from 0.7.1 to 0.7.7: [GH-833](https://github.com/hashicorp/vault-secrets-operator/pull/833)
+* Bump github.com/hashicorp/go-version from 1.6.0 to 1.7.0: [GH-810](https://github.com/hashicorp/vault-secrets-operator/pull/810)
+* Bump golang.org/x/crypto from 0.24.0 to 0.25.0: [GH-843](https://github.com/hashicorp/vault-secrets-operator/pull/843)
+* Bump google.golang.org/api from 0.186.0 to 0.188.0: [GH-846](https://github.com/hashicorp/vault-secrets-operator/pull/846)
+* Bump google.golang.org/grpc from 1.64.0 to 1.64.1: [GH-845](https://github.com/hashicorp/vault-secrets-operator/pull/845)
+* Bump k8s.io/api from 0.30.1 to 0.30.2: [GH-822](https://github.com/hashicorp/vault-secrets-operator/pull/822)
+* Bump k8s.io/apiextensions-apiserver from 0.30.1 to 0.30.2: [GH-828](https://github.com/hashicorp/vault-secrets-operator/pull/828)
+* Bump k8s.io/client-go from 0.30.1 to 0.30.2: [GH-830](https://github.com/hashicorp/vault-secrets-operator/pull/830)
+* Bump sigs.k8s.io/controller-runtime from 0.18.3 to 0.18.4: [GH-808](https://github.com/hashicorp/vault-secrets-operator/pull/808)
+* Bump ubi9/ubi-micro from 9.4-6.1716471860 to 9.4-9: [GH-819](https://github.com/hashicorp/vault-secrets-operator/pull/819)
+* Bump ubi9/ubi-minimal from 9.4-949.1717074713 to 9.4-1134: [GH-820](https://github.com/hashicorp/vault-secrets-operator/pull/820)
+
 ## 0.7.1 (May 30th, 2024)
 
 Fix:
@@ -31,7 +87,7 @@ Fix:
 * VDS: Selectively log calls to SyncRegistry.Delete(): [GH-718](https://github.com/hashicorp/vault-secrets-operator/pull/718)
 
 Build:
-* CI: test against vault-1.16.2: [GH-715](https://github.com/hashicorp/vault-secrets-operator/pull/715)
+* CI: Bump test vault versions: [GH-861](https://github.com/hashicorp/vault-secrets-operator/pull/861)
 * Bump GH actions for node 16 obsolescence: [GH-738](https://github.com/hashicorp/vault-secrets-operator/pull/738)
 
 Dependency Updates:

diff --git a/api/v1beta1/hcpauth_types.go b/api/v1beta1/hcpauth_types.go
@@ -49,12 +49,12 @@ type HCPAuthServicePrincipal struct {
 // HCPAuthStatus defines the observed state of HCPAuth
 type HCPAuthStatus struct {
 	// Valid auth mechanism.
-	Valid bool   `json:"valid"`
+	Valid *bool  `json:"valid"`
 	Error string `json:"error"`
 }
 
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
 
 // HCPAuth is the Schema for the hcpauths API
 type HCPAuth struct {
@@ -65,7 +65,7 @@ type HCPAuth struct {
 	Status HCPAuthStatus `json:"status,omitempty"`
 }
 
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 
 // HCPAuthList contains a list of HCPAuth
 type HCPAuthList struct {

diff --git a/api/v1beta1/secrettransformation_types.go b/api/v1beta1/secrettransformation_types.go
@@ -9,12 +9,12 @@ import (
 
 // SecretTransformationStatus defines the observed state of SecretTransformation
 type SecretTransformationStatus struct {
-	Valid bool   `json:"valid"`
+	Valid *bool  `json:"valid"`
 	Error string `json:"error"`
 }
 
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
 
 // SecretTransformation is the Schema for the secrettransformations API
 type SecretTransformation struct {
@@ -55,7 +55,7 @@ type SourceTemplate struct {
 	Text string `json:"text"`
 }
 
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 
 // SecretTransformationList contains a list of SecretTransformation
 type SecretTransformationList struct {

diff --git a/api/v1beta1/vaultauth_types.go b/api/v1beta1/vaultauth_types.go
@@ -333,11 +333,12 @@ type VaultAuthGlobalRef struct {
 	// set on the operator's '-global-vault-auth-options' flag
 	//
 	// The default VaultAuthGlobal search is conditional.
-	// When a ref Namespace is not set, the search follows the order:
-	//  1. The referring VaultAuth Namespace.
-	//  2. The Operator's namespace.
-	// Otherwise, the search follows the order:
-	//  1. The VaultAuthGlobal ref Namespace.
+	// When a ref Namespace is set, the search for the default
+	// VaultAuthGlobal resource is constrained to that namespace.
+	// Otherwise, the search order is:
+	// 1. The default VaultAuthGlobal resource in the referring VaultAuth resource's
+	// namespace.
+	// 2. The default VaultAuthGlobal resource in the Operator's namespace.
 	AllowDefault *bool `json:"allowDefault,omitempty"`
 }
 
@@ -428,7 +429,7 @@ type VaultAuthSpec struct {
 // VaultAuthStatus defines the observed state of VaultAuth
 type VaultAuthStatus struct {
 	// Valid auth mechanism.
-	Valid      bool               `json:"valid,omitempty"`
+	Valid      *bool              `json:"valid,omitempty"`
 	Error      string             `json:"error,omitempty"`
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
 	SpecHash   string             `json:"specHash,omitempty"`

diff --git a/api/v1beta1/vaultconnection_types.go b/api/v1beta1/vaultconnection_types.go
@@ -28,11 +28,11 @@ type VaultConnectionSpec struct {
 // VaultConnectionStatus defines the observed state of VaultConnection
 type VaultConnectionStatus struct {
 	// Valid auth mechanism.
-	Valid bool `json:"valid"`
+	Valid *bool `json:"valid"`
 }
 
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
 
 // VaultConnection is the Schema for the vaultconnections API
 type VaultConnection struct {
@@ -43,7 +43,7 @@ type VaultConnection struct {
 	Status VaultConnectionStatus `json:"status,omitempty"`
 }
 
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 
 // VaultConnectionList contains a list of VaultConnection
 type VaultConnectionList struct {

diff --git a/api/v1beta1/vaultpkisecret_types.go b/api/v1beta1/vaultpkisecret_types.go
@@ -135,7 +135,7 @@ type VaultPKISecretStatus struct {
 	// The SecretMac is also used to detect drift in the Destination Secret's Data.
 	// If drift is detected the data will be synced to the Destination.
 	SecretMAC string `json:"secretMAC,omitempty"`
-	Valid     bool   `json:"valid"`
+	Valid     *bool  `json:"valid"`
 	Error     string `json:"error"`
 }
 

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
@@ -3,8 +3,8 @@
 
 apiVersion: v2
 name: vault-secrets-operator
-version: 0.7.1
-appVersion: "0.7.1"
+version: 0.8.0
+appVersion: "0.8.0"
 kubeVersion: ">=1.21.0-0"
 description: Official Vault Secrets Operator Chart
 type: application

diff --git a/chart/crds/secrets.hashicorp.com_vaultauths.yaml b/chart/crds/secrets.hashicorp.com_vaultauths.yaml
@@ -254,11 +254,12 @@ spec:
 
 
                       The default VaultAuthGlobal search is conditional.
-                      When a ref Namespace is not set, the search follows the order:
-                       1. The referring VaultAuth Namespace.
-                       2. The Operator's namespace.
-                      Otherwise, the search follows the order:
-                       1. The VaultAuthGlobal ref Namespace.
+                      When a ref Namespace is set, the search for the default
+                      VaultAuthGlobal resource is constrained to that namespace.
+                      Otherwise, the search order is:
+                      1. The default VaultAuthGlobal resource in the referring VaultAuth resource's
+                      namespace.
+                      2. The default VaultAuthGlobal resource in the Operator's namespace.
                     type: boolean
                   mergeStrategy:
                     description: |-

diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
@@ -298,3 +298,39 @@ logging args
 {{- $ret | toYaml | nindent 8 -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+vaultAuthGlobalRef generates the global-vault-auth-global-ref flag for the manager.
+*/}}
+{{- define "vso.vaulAuthGlobalRef" -}}
+{{- if .Values.controller.manager.globalVaultAuthOptions.allowDefaultGlobals }}
+--global-vault-auth-global-ref
+{{- end -}}
+{{- end -}}
+
+{{/*
+vaultAuthGlobalRef generates the default VaultAuth spec.vaultAuthGlobalRef.
+*/}}
+{{- define "vso.vaultAuthGlobalRef" -}}
+{{- $ret := dict -}}
+{{- with .Values.defaultAuthMethod.vaultAuthGlobalRef -}}
+{{ $_ := set $ret "namespace" .namespace -}}
+{{ $_ = set $ret "name" .name -}}
+{{ if ne .allowDefault nil -}}
+{{- $_ = set $ret "allowDefault" .allowDefault -}}
+{{- end -}}
+{{- $strat := dict -}}
+{{- if .mergeStrategy.headers -}}
+{{- $_ = set $strat "headers" .mergeStrategy.headers -}}
+{{- end -}}
+{{- if .mergeStrategy.params -}}
+{{- $_ = set $strat "params" .mergeStrategy.params -}}
+{{- end -}}
+{{- if $strat -}}
+{{- $_ = set $ret "mergeStrategy" $strat -}}
+{{- end -}}
+{{- end -}}
+{{- if $ret -}}
+{{- $ret | toYaml | nindent 4 -}}
+{{- end -}}
+{{- end -}}
diff --git a/chart/templates/default-vault-auth-method.yaml b/chart/templates/default-vault-auth-method.yaml
@@ -24,4 +24,8 @@ spec:
   mount: {{ .Values.defaultAuthMethod.mount }}
   {{- $kubeServiceAccount := .Values.defaultAuthMethod.kubernetes.serviceAccount }}
   {{- include "vso.vaultAuthMethod" (list .Values.defaultAuthMethod $kubeServiceAccount . ) }}
+  {{- if .Values.defaultAuthMethod.vaultAuthGlobalRef.enabled }}
+  vaultAuthGlobalRef:
+  {{- include "vso.vaultAuthGlobalRef" . }}
+  {{- end }}
 {{- end }}