This repo is archived. Provisioned service support is available directly on an ExternalSecret, no mapping required.
Service Binding Mapping for External Secrets
Reference implementation of the ServiceBinding.io 1.0 spec. The full specification is implemented, please open an issue for any discrepancies.
Getting Started
You’ll need a Kubernetes cluster to run against. You can use kind to get a local cluster for testing, or run against a remote cluster.
After the controller is deployed, try out the samples.
Deploy a released build
The easiest way to get started is by deploying the latest release. Alternatively, you can build the runtime from source.
Build from source
-
Define where to publish images:
export KO_DOCKER_REPO=<a-repository-you-can-write-to>
For kind, a registry is not required:
export KO_DOCKER_REPO=kind.local -
Build and deploy the controller to the cluster:
Note: The cluster must have the cert-manager and external-secrets deployed. There is a
make deploy-cert-managerandmake deploy-external-secretstarget to deploy the cert-manager and external-secrets respectively.make deploy
Undeploy controller
Undeploy the controller to the cluster:
make undeployArchitecture
A ExternalSecretMapping mirrors every ExternalSecret resource in the cluster. The ExternalSecretMapping is a Service Binding Provisioned Service compatible resource that reflects the name of the secret defined by the ExternalSecret on to the ExternalSecretMapping status. Users should not create the ExternalSecretMapping resource directly, as new ExternalSecret are created/updated/deleted, the ExternalSecretMapping with the same namespace/name is created/updated/deleted. The mapping does not alter the Secret or ExternalSecret resources in anyway.
Once installed, a ServiceBinding can target an ExternalSecretMapping of the same name as the ExternalSecret as a service.
In the ServiceBinding replace:
spec:
service:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
name: my-secretwith:
spec:
service:
apiVersion: x-mapping.servicebinding.io/v1alpha1
kind: ExternalSecretMapping
name: my-secretContributing
Test It Out
Run the unit tests:
make testModifying the API definitions
If you are editing the API definitions, generate the manifests such as CRs or CRDs using:
make manifestsNOTE: Run make help for more information on all potential make targets
More information can be found via the Kubebuilder Documentation
Community, discussion, contribution, and support
The Service Binding Mapping for External Secrets project is a community lead effort. A bi-weekly working group call is open to the public. Discussions occur here on GitHub and on the #bindings-discuss channel in the Kubernetes Slack.
If you catch an error in the implementation, please let us know by opening an issue at our GitHub repository.
Code of conduct
Participation in the Service Binding community is governed by the Contributor Covenant.