review comments implementation

Author: syedhaseebahmed

components/secretstore-gen-secrets/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-name: site-secrets
-description: Orchestrating secrets across kubernetes clusters (global-site) using External SecretStore
+name: secretstore-gen-secrets
+description: Secret store backed External Secrets generator
 type: application
 version: 0.1.0
 appVersion: "1.0"

components/secretstore-gen-secrets/templates/secrets.yaml.tmpl

@@ -1,6 +1,5 @@
-{{- $site := .Values.site }}
-{{- $secretStore := $site.secretStore }}
-{{- range $site.secrets }}
+{{- $secretStore := .Values.secretStore }}
+{{- range .Values.secrets }}
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret

components/secretstore-gen-secrets/values.yaml

@@ -1,8 +1 @@
-site:
-  name: uc-iad3-dev
-  partition: uc-dev
-  env: dev
-  role: aio
-  secretStore:
-    kind: SecretStore
-    name: vault
+---

docs/schema/component-secretstore-gen-secrets.schema.json

@@ -0,0 +1,226 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Secret store backed External Secrets generator Helm Chart Values",
+  "description": "Schema for Secret store backed secrets generator Helm chart values.yaml configuration",
+  "type": "object",
+  "properties": {
+    "secretStore": {
+      "type": "object",
+      "description": "Secret store backed secrets generator Secret Store configuration",
+      "properties": {
+        "kind": {
+          "type": "string",
+          "enum": ["ClusterSecretStore", "SecretStore"],
+          "description": "Type of secret store - ClusterSecretStore or SecretStore for namespaced"
+        },
+        "name": {
+          "type": "string",
+          "description": "Name of the ClusterSecretStore or SecretStore to use"
+        }
+      },
+      "required": ["kind", "name"],
+      "additionalProperties": false
+    },
+    "secrets": {
+      "type": "array",
+      "description": "Array of External Secret configurations",
+      "items": {
+        "type": "object",
+        "properties": {
+          "name": {
+            "type": "string",
+            "description": "Name of the ExternalSecret and target Secret resource"
+          },
+          "externalLinkAnnotationTemplate": {
+            "type": "string",
+            "description": "Optional template for external link annotations on ExternalSecret resources"
+          },
+          "labels": {
+            "type": "object",
+            "description": "Labels to apply to both ExternalSecret and target Secret",
+            "additionalProperties": {
+              "type": "string"
+            }
+          },
+          "refreshInterval": {
+            "type": "string",
+            "pattern": "^[0-9]+(s|m|h|d)$",
+            "default": "1h",
+            "description": "How often Secret store backed secrets generator refreshes this secret"
+          },
+          "templateType": {
+            "type": "string",
+            "default": "Opaque",
+            "description": "Kubernetes secret type for the target secret",
+            "enum": ["Opaque", "kubernetes.io/tls", "kubernetes.io/ssh-auth", "kubernetes.io/basic-auth", "kubernetes.io/dockerconfigjson", "kubernetes.io/service-account-token"]
+          },
+          "templateData": {
+            "type": "object",
+            "description": "Template data for constructing the target secret using Go templating",
+            "additionalProperties": {
+              "type": "string"
+            }
+          },
+          "data": {
+            "type": "array",
+            "description": "Individual data mappings from remote secrets to target secret keys",
+            "items": {
+              "type": "object",
+              "properties": {
+                "secretKey": {
+                  "type": "string",
+                  "description": "Key name in the target Kubernetes secret"
+                },
+                "remoteRef": {
+                  "type": "object",
+                  "description": "Reference to the remote secret",
+                  "properties": {
+                    "key": {
+                      "type": "string",
+                      "description": "Key/ID of the remote secret"
+                    },
+                    "property": {
+                      "type": "string",
+                      "description": "Property/field within the remote secret"
+                    },
+                    "conversionStrategy": {
+                      "type": "string",
+                      "default": "Default",
+                      "enum": ["Default", "Unicode"],
+                      "description": "Strategy for converting the secret value"
+                    },
+                    "decodingStrategy": {
+                      "type": "string",
+                      "default": "None",
+                      "enum": ["None", "Base64", "Base64URL", "Auto"],
+                      "description": "Strategy for decoding the secret value"
+                    },
+                    "metadataPolicy": {
+                      "type": "string",
+                      "default": "None",
+                      "enum": ["None", "Fetch"],
+                      "description": "Policy for handling secret metadata"
+                    }
+                  },
+                  "required": ["key"],
+                  "additionalProperties": false
+                }
+              },
+              "required": ["secretKey", "remoteRef"],
+              "additionalProperties": false
+            }
+          },
+          "dataFrom": {
+            "type": "array",
+            "description": "Bulk data extraction from remote secrets",
+            "items": {
+              "type": "object",
+              "properties": {
+                "extract": {
+                  "type": "object",
+                  "description": "Extract configuration for bulk secret retrieval",
+                  "properties": {
+                    "key": {
+                      "type": "string",
+                      "description": "Key/ID of the remote secret to extract from"
+                    },
+                    "property": {
+                      "type": "string",
+                      "description": "Specific property to extract (optional)"
+                    },
+                    "conversionStrategy": {
+                      "type": "string",
+                      "default": "Default",
+                      "enum": ["Default", "Unicode"],
+                      "description": "Strategy for converting the secret values"
+                    },
+                    "decodingStrategy": {
+                      "type": "string",
+                      "default": "None",
+                      "enum": ["None", "Base64", "Base64URL", "Auto"],
+                      "description": "Strategy for decoding the secret values"
+                    },
+                    "metadataPolicy": {
+                      "type": "string",
+                      "default": "None",
+                      "enum": ["None", "Fetch"],
+                      "description": "Policy for handling secret metadata"
+                    }
+                  },
+                  "required": ["key"],
+                  "additionalProperties": false
+                },
+                "find": {
+                  "type": "object",
+                  "description": "Find configuration for pattern-based secret discovery",
+                  "properties": {
+                    "path": {
+                      "type": "string",
+                      "description": "Path pattern to search for secrets"
+                    },
+                    "name": {
+                      "type": "object",
+                      "description": "Name pattern configuration",
+                      "properties": {
+                        "regexp": {
+                          "type": "string",
+                          "description": "Regular expression for matching secret names"
+                        }
+                      },
+                      "additionalProperties": false
+                    },
+                    "tags": {
+                      "type": "object",
+                      "description": "Tag filters for finding secrets",
+                      "additionalProperties": {
+                        "type": "string"
+                      }
+                    }
+                  },
+                  "additionalProperties": false
+                },
+                "sourceRef": {
+                  "type": "object",
+                  "description": "Reference to a different secret store for this data source",
+                  "properties": {
+                    "storeRef": {
+                      "type": "object",
+                      "properties": {
+                        "name": {
+                          "type": "string",
+                          "description": "Name of the secret store"
+                        },
+                        "kind": {
+                          "type": "string",
+                          "enum": ["ClusterSecretStore", "SecretStore"],
+                          "description": "Kind of secret store"
+                        }
+                      },
+                      "required": ["name", "kind"],
+                      "additionalProperties": false
+                    }
+                  },
+                  "additionalProperties": false
+                }
+              },
+              "anyOf": [
+                {"required": ["extract"]},
+                {"required": ["find"]}
+              ],
+              "additionalProperties": false
+            }
+          }
+        },
+        "required": ["name"],
+        "anyOf": [
+          {"required": ["data"]},
+          {"required": ["dataFrom"]},
+          {"required": ["templateData"]}
+        ],
+        "additionalProperties": false
+      }
+    }
+  },
+  "required": ["secretStore", "secrets"],
+  "additionalProperties": false
+}

workflows/nautobot/kustomization.yaml

@@ -9,5 +9,6 @@ resources:
 
   # noutobot secret
   - serviceaccounts/k8s-secret-events-nautobot.yaml
+  - serviceaccounts/k8s-job-create.yaml
   - eventsources/k8s-secret-nautobot-token.yaml
   - sensors/k8s-nautobot-secret.yaml

workflows/nautobot/sensors/k8s-nautobot-secret.yaml

@@ -9,7 +9,7 @@ metadata:
       this process ensures the user is created in Nautobot and a corresponding token is provisioned.
 spec:
   template:
-    serviceAccountName: k8s-events-secret-nautobot
+    serviceAccountName: k8s-job-create
   dependencies:
     - name: nautobot-token-secret
       eventSourceName: k8s-secret-nautobot-token
@@ -38,7 +38,7 @@ spec:
                   spec:
                     containers:
                       - name: nautobot-create-token
-                        image: ghcr.io/rackerlabs/understack/ansible:pr-1256
+                        image: ghcr.io/rackerlabs/understack/ansible:latest
                         imagePullPolicy: Always
                         command:
                           - "ansible-runner"

workflows/nautobot/serviceaccounts/k8s-job-create.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-job-create
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-job
+rules:
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create", "get", "list", "watch"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-job-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-job
+subjects:
+  - kind: ServiceAccount
+    name: k8s-job-create
+    namespace: nautobot

workflows/nautobot/serviceaccounts/k8s-secret-events-nautobot.yaml

@@ -3,21 +3,15 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: k8s-events-secret-nautobot
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: secret-reader
 rules:
-  - apiGroups:
-      - ""
-      - batch
-    resources:
-      - secrets
-      - jobs
-    verbs:
-      - '*'
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["list", "watch"]
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1