diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..9bdb1e4 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @external-secrets/maintainers diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..5fef663 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,25 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: kind/bug +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. provide all relevant manifests +2. provide the Kubernetes and ESO version + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/create_release.md b/.github/ISSUE_TEMPLATE/create_release.md new file mode 100644 index 0000000..42ae145 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/create_release.md @@ -0,0 +1,30 @@ +--- +name: Create Release +about: Release template to track the next release +title: Release x.y +labels: area/release +assignees: '' + +--- + +This Issue tracks the next ESO release. Please follow the guideline below. If anything is missing or unclear, please add a comment to this issue so this can be improved after the release. + +#### Preparation Tasks + +- [ ] ask in `#external-secrets-dev` if we're ready for a release cut-off or if something needs to get urgently in +- [ ] docs: [stability & support page](https://external-secrets.io/main/introduction/stability-support/) is up to date + - [ ] version table + - [ ] Provider Stability and Support table + - [ ] Provider Feature Support table +- [ ] docs: update [roadmap page](https://external-secrets.io/main/contributing/roadmap/) +- [ ] tidy up [Project Board](https://github.com/orgs/external-secrets/projects/2) + - [ ] move issues to next milestone + - [ ] close milestone + +#### Release Execution + +- [ ] Follow the [Release Process guide](https://external-secrets.io/main/contributing/release/) + +#### After Release Tasks + +- [ ] Announce release on `#external-secrets` in Slack diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..d681cbf --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: kind/feature +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f689040 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,21 @@ +version: 2 + +updates: + - package-ecosystem: "github-actions" + directory: "/" + groups: + # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups + ci: + patterns: + - "*" + schedule: + interval: "weekly" + day: "sunday" + - package-ecosystem: "gomod" + directory: "/" + groups: + go: + update-types: ["minor","patch"] + schedule: + interval: "weekly" + day: "sunday" diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..4d5867b --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,19 @@ +## Problem Statement + +What is the problem you're trying to solve? + +## Related Issue + +Fixes #... + +## Proposed Changes + +How do you like to solve the issue and why? + +## Checklist + +- [ ] I have read the [contribution guidelines](https://external-secrets.io/latest/contributing/process/#submitting-a-pull-request) +- [ ] All commits are signed with `git commit --signoff` +- [ ] My changes have reasonable test coverage +- [ ] All tests pass with `make test` +- [ ] I ensured my PR is ready for review with `make reviewable` diff --git a/.github/workflows/check-manifest-generation-diff.yaml b/.github/workflows/check-manifest-generation-diff.yaml new file mode 100644 index 0000000..db7ab1a --- /dev/null +++ b/.github/workflows/check-manifest-generation-diff.yaml @@ -0,0 +1,31 @@ +name: Check for diff after manifest and generated targets + +on: + pull_request: {} + +jobs: + diff-check-manifests: + name: Check for diff + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version-file: '${{ github.workspace }}/go.mod' + - name: Restore Go cache + uses: actions/cache@v4 + with: + path: /home/runner/work/_temp/_github_home/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + - name: go mod tidy + run: | + go mod tidy + - name: Check for diff + run: | + git diff --exit-code --shortstat diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml new file mode 100644 index 0000000..b95cb3d --- /dev/null +++ b/.github/workflows/tests.yaml @@ -0,0 +1,38 @@ +name: test and lint + +on: + pull_request: + paths-ignore: + - 'CODE_OF_CONDUCT.md' + - 'README.md' + - 'Contributing.md' + workflow_call: + + push: + branches: + - main + +permissions: + contents: read # for actions/checkout to fetch code + +jobs: + run-test-suite: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version-file: '${{ github.workspace }}/go.mod' + - name: Restore Go cache + uses: actions/cache@v4 + with: + path: /home/runner/work/_temp/_github_home/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + - name: Run lint + run: make lint + - name: Run tests + run: make test diff --git a/.golangci.yaml b/.golangci.yaml new file mode 100644 index 0000000..fbf2deb --- /dev/null +++ b/.golangci.yaml @@ -0,0 +1,127 @@ +run: + timeout: 10m + +linters-settings: + gci: + sections: + - "standard" + - "default" + - "prefix(github.com/external-secrets/bitwarden-sdk-server)" + - "blank" + - "dot" + goconst: + min-len: 3 + min-occurrences: 3 + gocritic: + enabled-tags: + - diagnostic + - experimental + - opinionated + - performance + - style + disabled-checks: + - dupImport + - ifElseChain + - octalLiteral + - whyNoLint + - wrapperFunc + - importShadow + - unnamedResult + - unnecessaryBlock + settings: + rangeValCopy: + sizeThreshold: 512 + hugeParam: + sizeThreshold: 512 + gocyclo: + min-complexity: 16 + goheader: + template-path: ./hack/boilerplate.go.txt + dupl: + threshold: 200 + govet: + check-shadowing: false + lll: + line-length: 300 + misspell: + locale: US + +linters: + disable-all: true + enable: + - asciicheck + - bodyclose + - dogsled + - dupl + - errcheck + - errorlint + - exhaustive + - exportloopref + - gci + - goheader + - goconst + - gocritic + - godot + - gofmt + - goprintffuncname + - gosec + - gosimple + - govet + - ineffassign + - lll + - misspell + - nakedret + - nolintlint + - prealloc + - staticcheck + - stylecheck + - typecheck + - unconvert + - unparam + - unused + - whitespace + +issues: + # Excluding configuration per-path and per-linter + exclude-rules: + # Exclude some linters from running on tests files. + - path: _test(ing)?\.go + linters: + - gocyclo + - errcheck + - dupl + - gosec + - unparam + - lll + + # Ease some gocritic warnings on test files. + - path: _test\.go + text: "(unnamedResult|exitAfterDefer)" + linters: + - gocritic + + # This is a "potential hardcoded credentials" warning. It's triggered by + # any variable with 'secret' in the same, and thus hits a lot of false + # positives in Kubernetes land where a Secret is an object type. + - text: "G101:" + linters: + - gosec + + # The header check doesn't correctly parse the header as a code comment and is + # triggered by the perceived diff. The header check still correctly detects missing + # license headers and is useful for some cases. + - text: "Actual:" + linters: + - goheader + + # excluding deprecation check introduced on purpose in #2884 + - path: pkg/provider/fake/fake.go + text: 'SA1019: data.ValueMap is deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' + - path: pkg/provider/fake/fake_test.go + text: 'SA1019: data.ValueMap is deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' + + # Maximum issues count per one linter. Set to 0 to disable. Default is 50. + max-per-linter: 0 + + # Maximum count of issues with the same text. Set to 0 to disable. Default is 3. + max-same-issues: 0 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..f78f1ce --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,6 @@ +# Contributing + +See the [Developer guide](docs/contributing/devguide.md) for information +about setting up your development environment, and the +[Contributing Process](docs/contributing/process.md) document +for details about the workflow. diff --git a/GOVERNANCE.md b/GOVERNANCE.md new file mode 100644 index 0000000..9700b69 --- /dev/null +++ b/GOVERNANCE.md @@ -0,0 +1,105 @@ +# External Secrets Operator Governance + +This document defines the project governance for ESO. + +## Overview + +**External Secrets Operator** is a Kubernetes operator that integrates external +secret management systems like [AWS Secrets +Manager](https://aws.amazon.com/secrets-manager/), [HashiCorp +Vault](https://www.vaultproject.io/), [Google Secrets +Manager](https://cloud.google.com/secret-manager), [Azure Key +Vault](https://azure.microsoft.com/en-us/services/key-vault/), [CyberArk Conjur](https://www.conjur.org) and many more. The +operator reads information from external APIs and automatically injects the +values into a [Kubernetes +Secret](https://kubernetes.io/docs/concepts/configuration/secret/). + +## Community Roles + +* **Users:** Members that engage with the ESO community via any medium (Slack, WeChat, GitHub, mailing lists, etc.). +* **Contributors:** Regular contributions to projects (documentation, code reviews, responding to issues, participation in proposal discussions, contributing code, etc.). +* **Maintainers**: The ESO project leaders. They are responsible for the overall health and direction of the project; final reviewers of PRs and responsible for releases. Some Maintainers are responsible for one or more components within a project, acting as technical leads for that component. Maintainers are expected to contribute code and documentation, review PRs including ensuring quality of code, triage issues, proactively fix bugs, and perform maintenance tasks for these components. + +### Maintainers + +New maintainers must be nominated by an existing maintainer(e.g. via [PR](https://github.com/external-secrets/external-secrets/pull/1591)) and must be elected by a supermajority of existing maintainers. Likewise, maintainers can be removed by a supermajority of the existing maintainers or can resign by notifying one of the maintainers. + +### Supermajority + +A supermajority is defined as two-thirds of members in the group. +A supermajority of [Maintainers](#maintainers) is required for certain +decisions as outlined above. Voting on decisions can happen on the mailing list, GitHub, Slack, email, or via a voting service, when appropriate. Maintainers can either vote "agree, yes, +1", "disagree, no, -1", or "abstain". A vote passes when supermajority is met. An abstain vote equals not voting at all. + +### Decision Making + +Ideally, all project decisions are resolved by consensus. If impossible, any +maintainer may call a vote. Unless otherwise specified in this document, any +vote will be decided by a supermajority of maintainers. + +Votes by maintainers belonging to the same company +will count as one vote; e.g., 4 maintainers employed by fictional company **ESOtum** will +only have **one** combined vote. If voting members from a given company do not +agree, the company's vote is determined by a supermajority of voters from that +company. If no supermajority is achieved, the company is considered to have +abstained. + +## Proposal Process + +One of the most important aspects in any open source community is the concept +of proposals. Large changes to the codebase and / or new features should be +preceded by a proposal in our community repo. This process allows for all +members of the community to weigh in on the concept (including the technical +details), share their comments and ideas, and offer to help. It also ensures +that members are not duplicating work or inadvertently stepping on toes by +making large conflicting changes. + +The project roadmap is defined by accepted proposals. + +Proposals should cover the high-level objectives, use cases, and technical +recommendations on how to implement. In general, the community member(s) +interested in implementing the proposal should be either deeply engaged in the +proposal process or be an author of the proposal. + +The proposal should be documented as a separated markdown file pushed to the +`design` folder in the [external-secrets repository](https://github.com/external-secrets/external-secrets/tree/main/design) +repository via PR. The name of the file should follow the name pattern `.md`, e.g: +`000-clear-old-tags-with-policies.md`. + +Use the [Proposal Template](design/000-template.md) as a starting point. + +### Proposal Lifecycle + +The proposal PR can be marked with different status labels to represent the +status of the proposal: + +* **New**: Proposal is just created. +* **Reviewing**: Proposal is under review and discussion. +* **Accepted**: Proposal is reviewed and accepted (either by consensus or vote). +* **Rejected**: Proposal is reviewed and rejected (either by consensus or vote). + +## Lazy Consensus + +The concept of [Lazy Consensus](http://en.osswiki.info/concepts/lazy_consensus) is practiced. Ideas +and / or proposals should be shared by maintainers via +GitHub with the appropriate maintainer groups (e.g., +`@external-secrets/maintainers`) tagged. Out of respect for other contributors, +major changes should also be accompanied by a ping on Slack or a note on the +ESO dev mailing list as appropriate. Author(s) of proposal, Pull Requests, +issues, etc. will give a time period of no less than five (5) working days for +comment and remain cognizant of popular observed world holidays. + +Other maintainers may chime in and request additional time for review, but +should remain cognizant of blocking progress and abstain from delaying +progress unless absolutely needed. The expectation is that blocking progress +is accompanied by a guarantee to review and respond to the relevant action(s) +(proposals, PRs, issues, etc.) in short order. + + +Lazy consensus does _not_ apply to the process of: + +* Removal of maintainers from ESO. + +## Updating Governance + +All substantive changes in Governance require a supermajority agreement by all maintainers. diff --git a/MAINTAINERS.md b/MAINTAINERS.md new file mode 100644 index 0000000..c0ac8c9 --- /dev/null +++ b/MAINTAINERS.md @@ -0,0 +1,44 @@ +# External Secretes Operator Maintainers + +[GOVERNANCE.md](https://github.com/external-secrets/external-secrets/blob/main/GOVERNANCE.md) +describes governance guidelines and maintainer responsibilities. + +## Maintainers + +| Maintainer | GitHub ID | Affiliation | +| --------------- |-------------------------------------------------| ----------- | +| RealName Here | [knelasevero](https://github.com/knelasevero) | [Company](https://www.github.com/Company/) | +| RealName Here | [gusfcarvalho](https://github.com/gusfcarvalho) | [Company](https://www.github.com/Company/) | +| RealName Here | [moolen](https://github.com/moolen) | [Company](https://www.github.com/Company/) | +| RealName Here | [sebagomez](https://github.com/sebagomez) | [Company](https://www.github.com/Company/) | +| RealName Here | [rodrmartinez](https://github.com/rodrmartinez) | [Company](https://www.github.com/Company/) | +| RealName Here | [IdanAdar](https://github.com/IdanAdar) | [Company](https://www.github.com/Company/) | +| RealName Here | [Skarlso](https://github.com/Skarlso) | [Company](https://www.github.com/Company/) | + + +## External Secrets Operator Core Contributors & Stakeholders + +| ESO Feature Area | Lead | +| ----------------------------- | :---------------------: | +| Technical Lead | | +| Chief Architects | | +| Webhooks | | +| Setup, Installation, Upgrade Experience | | +| Helm Chart & HA | | +| Operator & Day 2 Operations | | +| Security | TBD | +| User Interface/Usability/User Experience | Meina Zhou (zhoumeina) | +| Scale & Performance | | +| Documentation | | +| Releases | | +| QA, Test Automation | | +| Community Management | | +| Product Management | | + +## Emeritus Maintainers + +* RealName Here, [Flydiverny](https://github.com/Flydiverny) +* RealName Here, [silasbw](https://github.com/silasbw) +* RealName Here, [mcavoyk](https://github.com/mcavoyk) +* RealName Here, [riccardomc](https://github.com/riccardomc) +* RealName Here, [jonatasbaldin](https://github.com/jonatasbaldin) diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..50ba0e2 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,26 @@ +# Security Policy + +- [Security Policy](#security-policy) + - [Reporting security problems](#reporting-security-problems) + - [Vulnerability Management Plans](#vulnerability-management-plans) + - [Critical Updates And Security Notices](#critical-updates-and-security-notices) + + +## Reporting security problems + +**DO NOT CREATE AN ISSUE** to report a security problem. Instead, please +send an email to cncf-ExternalSecretsOp-maintainers@lists.cncf.io + + +## Vulnerability Management Plans + +### Critical Updates And Security Notices + +We learn about critical software updates and security threats from these sources + +1. GitHub Security Alerts +2. [Dependabot](https://dependabot.com/) Dependency Updates + +## Security Incident Response + +Please follow the guide [SECURITY_RESPONSE.md](SECURITY_RESPONSE.md). diff --git a/SECURITY_RESPONSE.md b/SECURITY_RESPONSE.md new file mode 100644 index 0000000..724a6b8 --- /dev/null +++ b/SECURITY_RESPONSE.md @@ -0,0 +1,85 @@ +# Incident response + +This serves to define how potential security issues should be triaged, how +confirmation occurs, providing the notification, and issuing a security advisory +as well as patch/release. + +## Triage + +### Identify the problem + +Triaging issues allows maintainers to focus resources on the most critically +impacting problems. Potential security risks should be evaluated against the +following information: + +* Which component(s) of the project is impacted? +* What kind of problem is this? + * privilege escalation + * credential access + * code execution + * exfiltration + * lateral movement +* How complex is the problem? +* Is user interaction required? +* What privileges are required for this problem to occur? + * admin + * general +* What is the potential impact or consequence of the problem? +* Does an exploit exist? + +Any potential problem that has an exploit, permits privilege escalation, is +simple, and does not require user interaction should be evaluated immediately. +[CVSS Version 3.1](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator) can be +a helpful tool in evaluating the criticality of reported issues. + +### Acknowledge receipt of the problem + +Respond to the reporter and notify them that you have received and begun reviewing the problem. Remind them of the [embargo policy](https://github.com/cncf/tag-security/blob/231b87f371274b2d68def2c6a35a719210836191/project-resources/templates/embargo-policy.md), and provide them +information on who to contact/follow-up with if they have questions. Estimate when they can expect to receive an update. Create a calendar reminder to contact them again by that date to provide an update. + +### Replicate the problem + +Follow the instructions relayed in the problem. If the instructions are +insufficient, contact the reporter and ask for more information. + +If the problem cannot be replicated, re-engage the reporter, let them know it +cannot be replicated, and work with them to find a remediation. + +If the problem can be replicated, re-evaluate the criticality of the problem, and +begin working on a remediation. Begin a draft security advisory. + +Notify the reporter you were able to replicate the problem and have begun working +on a fix. Remind them of the [embargo policy](https://github.com/cncf/tag-security/blob/231b87f371274b2d68def2c6a35a719210836191/project-resources/templates/embargo-policy.md). If necessary, notify them of an +extension (only for very complex problems where remediation cannot be issued +within the project's specified window). + +#### Request a CVE number + +If a CVE has already been provided, be sure to include it on the advisory. If +one has not yet been created, [GitHub functions as a +CNA](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories#cve-identification-numbers) +and allows you to request one as part of the security advisory process. Provide +all required information and as much optional information as we can. The CVE +number is shown as reserved with no further details until notified it has been +published. + +## Notification + +Once the problem has been replicated and a remediation is in place, notify +subscribed parties with a security bulletin (use [this template](https://github.com/cncf/tag-security/blob/231b87f371274b2d68def2c6a35a719210836191/project-resources/templates/embargo.md)) and the expected publishing date. + +## Publish and release + +Once a CVE number has been assigned, publish and release the updated +version/patch. Be sure to notify the CVE group when published so the CVE details +are searchable. Be sure to give credit to the reporter by *[editing the security +advisory](https://docs.github.com/en/github/managing-security-vulnerabilities/editing-a-security-advisory#about-credits-for-security-advisories)* +as they took the time to notify and work with you on the problem! + +### Issue a security advisory + +Follow the instructions from [GitHub to publish the security advisory previously +drafted](https://docs.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory). + +For more information on security advisories, please refer to the [GitHub +Article](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories). \ No newline at end of file diff --git a/hack/boilerplate.go.txt b/hack/boilerplate.go.txt new file mode 100644 index 0000000..e2fe4d1 --- /dev/null +++ b/hack/boilerplate.go.txt @@ -0,0 +1,13 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ \ No newline at end of file