### Complete Token Flow Example (Web Identity) Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/token-management.md Illustrates a complete token flow using web identity. This includes getting signed requests, creating service account OIDC tokens, assuming roles, retrieving AWS credentials, signing requests, creating Artifactory tokens, and setting token details. ```go // Web Identity Example err := handler.HandlingToken(ctx, &tokenDetails, secretRotator, recorder, k8sClient) // 1. GetSignedRequestForWebIdentity() called // 2. Service account OIDC token created // 3. STS AssumeRoleWithWebIdentity executed // 4. AWS credentials retrieved // 5. SigV4a request signed // 6. createArtifactoryToken() called // 7. JFrog token response received // 8. tokenDetails.Token and tokenDetails.Username set if err != nil { // Handle error } // Token now ready for secret creation secret.Data[`.dockerconfigjson`] = dockerConfig(tokenDetails.Username, tokenDetails.Token) ``` -------------------------------- ### Example for Multiple ARNs/Users Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/terraform/README.md Example demonstrating how to configure multiple ARNs, users, and other parameters for the Terraform variables when dealing with multiple roles, policies, or service accounts. ```bash export TF_VAR_namespace=demo export TF_VAR_aws_iam_role_names="role1,role2" export TF_VAR_aws_iam_policy_names="policy1,policy2" export TF_VAR_service_accounts="serviceaccount1,serviceaccount2" export TF_VAR_service_account_namespace_pairs="serviceaccount1:namespace1,serviceaccount2:namespace2" export TF_VAR_service_users="user1,user2" export TF_VAR_jfrog_scoped_tokens="token1,token2" export TF_VAR_eks_cluster_name=aws-operator-jfrog export TF_VAR_eks_region=ap-northeast-3 export TF_VAR_jfrog_url="artifactory.jfrog.com" export TF_VAR_operator_version=latest ``` -------------------------------- ### Install Prometheus Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/config/monitoring/README.md Apply the Prometheus configuration to the specified namespace. ```shell kubectl apply -f prometheus -n ${NAMESPACE} ``` -------------------------------- ### Resulting Secret Example Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/configuration.md An example of a Kubernetes Secret generated by the operator, showing how the applied labels and annotations are reflected. ```yaml apiVersion: v1 kind: Secret metadata: name: my-secret namespace: production labels: app: jfrog managed-by: jfrog-operator annotations: description: "Auto-rotated Artifactory credentials" data: .dockerconfigjson: ... ``` -------------------------------- ### Get Namespace Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Retrieves a specific namespace by its name. ```go GET /api/v1/namespaces/{name} ``` -------------------------------- ### Install Operator Service Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/config/monitoring/README.md Apply the operator service configuration to the specified namespace. ```shell kubectl apply -f operator-service.yaml -n ${NAMESPACE} ``` -------------------------------- ### Configure Service Account Annotations for JFrog Operator Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/charts/jfrog-registry-operator/templates/NOTES.txt This section provides examples for configuring service account annotations, particularly for AWS IAM roles (IRSA). It shows how to set annotations for Helm installations and update them in a Custom Resource. ```bash export ANNOTATIONS='eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/jfrog-operator-role' Add set in helm install command: --set serviceAccount.annotations=${ANNOTATIONS} ``` ```yaml serviceAccount: name: "" namespace: "" ``` -------------------------------- ### Example Info Log Line Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/events-and-errors.md An example of an informational log message generated by the operator. It includes details about the reconciliation process. ```json { "level": "info", "ts": 1234567890.123, "caller": "controllers/secretrotator_controller.go:75", "msg": "Starting Artifactory Secret Rotation Reconcile", "secretrotator": { "name": "my-rotator", "namespace": "" } } ``` -------------------------------- ### Kubernetes: Generic Secret Example Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/secret-resource.md Example of a Kubernetes 'Opaque' Secret for storing generic credentials, such as username and token. It includes an 'ownerReference' pointing to a 'SecretRotator' resource. ```yaml apiVersion: v1 kind: Secret metadata: name: artifactory-credentials namespace: production ownerReferences: - apiVersion: apps.jfrog.com/v1alpha1 kind: SecretRotator name: my-rotator type: Opaque data: user: dXNlcm5hbWU= token: dG9rZW4= ``` -------------------------------- ### Run All E2E Tests Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/tests/README.md Execute all end-to-end tests from the operator folder. Ensure you have completed the prerequisite installations. ```shell # Run tests from the operator folder ./kuttl.sh ``` -------------------------------- ### Example Error Log Line Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/events-and-errors.md An example of an error log message. This indicates a recoverable error, such as missing secrets, and includes an error field. ```json { "level": "error", "ts": 1234567890.456, "caller": "internal/operations/operations.go:46", "msg": "No secrets defined", "error": "...", "secretrotator": { "name": "my-rotator" } } ``` -------------------------------- ### Kubernetes: Docker Secret Example Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/secret-resource.md Example of a Kubernetes Secret of type 'kubernetes.io/dockerconfigjson' used for Docker registry authentication. It includes an 'ownerReference' pointing to a 'SecretRotator' resource. ```yaml apiVersion: v1 kind: Secret metadata: name: artifactory-pull namespace: production ownerReferences: - apiVersion: apps.jfrog.com/v1alpha1 kind: SecretRotator name: my-rotator type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: | { "auths": { "artifactory.example.com": { "auth": "dXNlcm5hbWU6dG9rZW4=" } } } ``` -------------------------------- ### Get Secret Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Retrieves a specific secret from a namespace. ```go GET /api/v1/namespaces/{namespace}/secrets/{name} ``` -------------------------------- ### Setup SecretRotatorReconciler in main.go Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/controller-reconciliation.md Initializes and sets up the SecretRotatorReconciler. The initial RequeueInterval is set to 1 hour, but the actual reconciliation interval is dynamically calculated based on the token's Time-To-Live (TTL). ```go if err = (&controllers.SecretRotatorReconciler{ Log: mgr.GetLogger(), Client: mgr.GetClient(), Scheme: mgr.GetScheme(), Recorder: mgr.GetEventRecorderFor("SecretRotator-controller"), RequeueInterval: time.Hour, }).SetupWithManager(mgr); err != nil { setupLog.Error(err, "unable to create controller", "controller", "SecretRotator") os.Exit(1) } ``` -------------------------------- ### Namespace Selector with Complex Expressions Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/configuration.md This example demonstrates a more complex namespace selection using both matchLabels and matchExpressions. It allows for nuanced targeting based on multiple criteria like environment and exclusion lists. ```yaml namespaceSelector: matchLabels: managed: "true" matchExpressions: - key: environment operator: In values: [prod, staging] - key: deprecated operator: NotIn values: ["true"] ``` -------------------------------- ### IAM GetRole Request Parameters Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Example request parameters for the IAM GetRole API, used to retrieve role configuration. ```text Action=GetRole RoleName={roleName} Version=2010-05-08 ``` -------------------------------- ### SecretRotatorReconciler Reconcile Example Usage Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/controller-reconciliation.md Illustrates how the Reconcile method is invoked by the controller-runtime manager and how to handle its results and potential errors. ```go // Internally invoked by controller-runtime manager result, err := reconciler.Reconcile(ctx, ctrl.Request{ NamespacedName: types.NamespacedName{Name: "my-rotator", Namespace: ""}, }) if err != nil { // Handle non-recoverable errors } if result.RequeueAfter > 0 { // Will requeue after this duration } ``` -------------------------------- ### Install Operator with Custom Values File Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/README.md Install the JFrog Secret Rotator operator using a custom values file that defines specific configurations, such as multiple service accounts. ```bash helm upgrade --install secretrotator jfrog/jfrog-registry-operator --create-namespace -f custom-values.yaml -n ${NAMESPACE} ``` -------------------------------- ### Configure Multi-User Service Accounts with Helm Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/README.md For multi-user installations, create service accounts with specific role ARNs using a custom values file. This ensures each service account has the necessary permissions. ```yaml exchangedServiceAccounts: - name: "sample-service-account" namespace: "" annotations: eks.amazonaws.com/role-arn: < role arn > ``` -------------------------------- ### Get Service Account Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Retrieves a specific service account by name within a namespace. ```go GET /api/v1/namespaces/{namespace}/serviceaccounts/{name} ``` -------------------------------- ### Set Service Account Name for Helm Install Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/README.md Define an environment variable for the desired Kubernetes service account name that will be used during the Helm installation of the JFrog Registry Operator. ```bash export SERVICE_ACCOUNT_NAME="" ``` -------------------------------- ### Namespace Operations Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Operations for managing Kubernetes Namespaces, including GET, LIST, and WATCH. ```APIDOC ## Namespace Operations ### Description Operations for managing Kubernetes Namespaces, including GET, LIST, and WATCH. ### Get Namespace - **Method**: GET - **Endpoint**: `GET /api/v1/namespaces/{name}` ### List Namespaces - **Method**: GET - **Endpoint**: `GET /api/v1/namespaces` - **Query Params**: `labelSelector` (required for filtering) ### Watch Namespaces - **Method**: GET - **Endpoint**: `GET /api/v1/namespaces?watch=true` ``` -------------------------------- ### Add JFrog Helm Repository Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/README.md Add the JFrog Helm repository to your Helm client before installing JFrog Helm charts. Only Helm V3 is supported. ```bash helm repo add jfrog https://charts.jfrog.io ``` -------------------------------- ### Get Pod Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Retrieves a specific pod's metadata within a namespace. Used to identify the service account associated with a pod. ```go GET /api/v1/namespaces/{namespace}/pods/{name} ``` -------------------------------- ### Install SecretRotator Manifest Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/terraform/README.md This Kubernetes manifest defines a SecretRotator custom resource. It configures how secrets are generated and rotated, including Artifactory integration and security settings. ```yaml apiVersion: apps.jfrog.com/v1alpha1 kind: SecretRotator metadata: labels: app.kubernetes.io/name: secretrotators.apps.jfrog.com app.kubernetes.io/instance: secretrotator app.kubernetes.io/created-by: artifactory-secrets-rotator name: secretrotator spec: namespaceSelector: matchLabels: kubernetes.io/metadata.name: jfrog-operator authType: webIdentity #auto, podIdentity generatedSecrets: - secretName: token-imagepull-secret secretType: docker # - secretName: token-generic-secret # secretType: generic artifactoryUrl: "artifactory.example.com" # artifactorySubdomains: [] refreshTime: 30m # serviceAccount: # The default name and namespace will be the operator’s service account name and namespace # name: "" # namespace: "" secretMetadata: annotations: annotationKey: annotationValue labels: labelName: labelValue security: enabled: false secretNamespace: ## NOTE: You can provide either a ca.pem or ca.crt. But make sure that key needs to same as ca.crt or ca.pem in secret certificateSecretName: insecureSkipVerify: false ``` -------------------------------- ### Get Pod Service Account Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/operations-api.md Fetches the current pod's service account details. This function relies on POD_NAME and POD_NAMESPACE environment variables being set. ```go func GetServiceAccount( ctx context.Context, k8sClient client.Client, tokenDetails *TokenDetails, ) (*v1.ServiceAccount, error) { // Implementation details omitted for brevity return nil, nil } ``` -------------------------------- ### Web Identity Path Authentication Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/README.md Handles authentication using Web Identity. It creates a service account token, signs an STS request, and gets the maximum session. ```go // internal/handler/auth.go func (h *Handler) WebIdentityPath(ctx context.Context, req *http.Request) error { // GetSignedRequestForWebIdentity() // Create service account token // Sign STS request // GetMaxSession() return nil } ``` -------------------------------- ### Configuration Error Event Sequence Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/events-and-errors.md Recognize events that signal a misconfiguration within the SecretRotator setup. These events often point to problems with accessing required Kubernetes resources like service accounts. ```bash Warning Misconfiguration 1m SecretRotator-controller "failed to get service account..." ``` -------------------------------- ### Initialize and Plan Terraform Configuration Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/terraform/README.md Use these commands to initialize the Terraform configuration, download provider plugins, and set up the backend. This prepares your environment for applying the configuration. ```bash terraform init terraform plan ``` -------------------------------- ### Main Go Program Initialization Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/README.md The main Go program initializes the Kubernetes scheme, controller-runtime manager, and the SecretRotatorReconciler. ```go package main import ( "flag" "os" // Import types for v1alpha1 CRDs "artifactory-secrets-rotator/api/v1alpha1" "artifactory-secrets-rotator/controllers" // etc. ) var ( metricsAddr string enableLeaderElection bool probeAddr string ) func main() { // ... initialization code ... // Initialize Kubernetes scheme and add v1alpha1 types s// Initialize controller-runtime manager // Initialize SecretRotatorReconciler // ... rest of the main function ... } ``` -------------------------------- ### Create Directory Tree Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/operations-api.md Creates a directory and any necessary parent directories. Returns nil if the directory already exists or if creation is successful. Returns an error if creation fails. ```go func CreateDir(directoryname string) error ``` -------------------------------- ### Create Custom HTTP Client with TLS Configuration Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/token-management.md Creates an HTTP client with optional TLS configuration, supporting disabled security, insecure skip verify, and custom certificates (client and CA). ```Go func createCustomHTTPClient( securityDetails *v1alpha1.SecurityDetails, secretRotatorName string, ) (*http.Client, error) ``` -------------------------------- ### Kubernetes Client Initialization Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/kubernetes-client.md Initializes and returns a Kubernetes clientset. It attempts to use in-cluster configuration, falling back to KUBECONFIG environment variable or ~/.kube/config. Use this for direct Kubernetes API operations. ```go clientset, err := k8sClientSet.GetK8sClient() if err != nil { return fmt.Errorf("failed to initialize k8s client: %w", err) } // Use for direct Kubernetes API operations pod, err := clientset.CoreV1().Pods("default").Get(ctx, "my-pod", metav1.GetOptions{}) serviceAccount, err := clientset.CoreV1().ServiceAccounts("default").Get(ctx, "my-sa", metav1.GetOptions{}) token, err := clientset.CoreV1().ServiceAccounts("default").CreateToken( ctx, "my-sa", &authenticationv1.TokenRequest{...}, metav1.CreateOptions{}) ``` -------------------------------- ### Install or Upgrade CRD for Secret Rotator Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/README.md Apply the Custom Resource Definition (CRD) for the Secret Rotator. Choose the cluster scope or namespace scope based on your installation requirements. ```bash kubectl apply -f https://raw.githubusercontent.com/jfrog/jfrog-registry-operator/refs/heads/master/config/crd/bases/apps.jfrog.com_secretrotators_cluster_scope.yaml ``` ```bash kubectl apply -f https://raw.githubusercontent.com/jfrog/jfrog-registry-operator/refs/heads/master/config/crd/bases/apps.jfrog.com_secretrotators_namespaced_scope.yaml ``` -------------------------------- ### Create File Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/operations-api.md Creates or truncates a file and writes the specified content to it. Returns an error if the operation fails. ```go func CreateFile(filePath, content string) error ``` -------------------------------- ### Apply Terraform Configuration Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/terraform/README.md Execute this command to apply the Terraform configuration and provision the necessary resources. You will be prompted to confirm the changes before proceeding. ```bash terraform apply ``` -------------------------------- ### Export Terraform Variable for CRD Installation Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/terraform/README.md This command exports the Terraform variable `TF_VAR_install_update_crd` to `true`, which is required to install or update the Custom Resource Definition (CRD) for the JFrog operator. By default, it is set to `false`. ```bash export TF_VAR_install_update_crd=true ``` -------------------------------- ### SecretRotatorReconciler SetupWithManager Method Signature Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/controller-reconciliation.md The signature for the SetupWithManager method, used to register the reconciler with the controller-runtime manager. ```go func (r *SecretRotatorReconciler) SetupWithManager(mgr ctrl.Manager) error ``` -------------------------------- ### Install JFrog Secret Rotator Operator with Helm Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/README.md Install or upgrade the JFrog Secret Rotator operator using Helm. This command allows specifying a service account name and annotations, and creates the namespace if it doesn't exist. ```bash helm upgrade --install secretrotator jfrog/jfrog-registry-operator --set "serviceAccount.name=${SERVICE_ACCOUNT_NAME}" --set serviceAccount.annotations=${ANNOTATIONS} --namespace ${NAMESPACE} --create-namespace ``` -------------------------------- ### Get SecretRotator Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Retrieves a specific SecretRotator by its name. ```APIDOC ## GET /apis/apps.jfrog.com/v1alpha1/secretrotators/{name} ### Description Retrieves a specific SecretRotator by its name. ### Method GET ### Endpoint /apis/apps.jfrog.com/v1alpha1/secretrotators/{name} ### Parameters #### Path Parameters - **name** (string) - Required - The name of the SecretRotator to retrieve. ``` -------------------------------- ### List Namespaces Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Lists all namespaces. A labelSelector query parameter is required for filtering. ```go GET /api/v1/namespaces ``` -------------------------------- ### Check File Existence Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/operations-api.md Verifies if a file exists and is a regular file (not a directory). ```go func FileExists(filename string) bool ``` -------------------------------- ### Configure AWS Credentials Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/terraform/README.md Ensure your AWS credentials are set up using the AWS CLI. This command will prompt for your AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION. ```bash aws configure ``` -------------------------------- ### Get SecretRotator Status Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/README.md Use this command to retrieve the status of the SecretRotator resource. ```bash kubectl get SecretRotator ``` -------------------------------- ### Certificate Path Constants Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/types-reference.md Defines variables for custom certificate and key file paths. ```go var ( CustomCertificatePath = "/usr/tmp/" CertPem = "/cert.pem" KeyPem = "/key.pem" CaPem = "/ca.pem" TlsCrt = "/tls.crt" TlsKey = "/tls.key" TlsCa = "/ca.crt" ) ``` -------------------------------- ### Kubernetes ObjectMeta Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/types-reference.md Provides standard Kubernetes metadata like name, namespace, labels, and annotations. ```go metav1.ObjectMeta `json:"metadata,omitempty"` ``` -------------------------------- ### JSON Marshaling and Unmarshaling in Go Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/types-reference.md Demonstrates how to marshal a Go object to JSON and unmarshal JSON data back into a Go object. Also shows YAML marshaling via kubebuilder. ```go // Marshal to JSON data, err := json.Marshal(secretRotator) // Unmarshal from JSON var sr v1alpha1.SecretRotator err := json.Unmarshal(data, &sr) // YAML support (via kubebuilder) yaml.Marshal(secretRotator) ``` -------------------------------- ### IAM GetRole Response XML Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Example XML response from the IAM GetRole API, including MaxSessionDuration. ```xml 3600 arn:aws:iam::123:role/my-role ... ``` -------------------------------- ### CreateDir Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/operations-api.md Creates a directory, including any necessary parent directories. If the directory already exists, the function returns nil without error. ```APIDOC ## CreateDir ### Description Creates a directory tree. This function ensures that all parent directories are created if they do not exist. ### Signature ```go func CreateDir(directoryname string) error ``` ### Behavior - Returns nil if directory already exists - Creates all parent directories ### Returns `error` if creation fails ``` -------------------------------- ### Service Account Operations Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Operations for managing Kubernetes Service Accounts, including GET, LIST, PATCH, and UPDATE. ```APIDOC ## Service Account Operations ### Description Operations for managing Kubernetes Service Accounts, including GET, LIST, PATCH, and UPDATE. ### Get Service Account - **Method**: GET - **Endpoint**: `GET /api/v1/namespaces/{namespace}/serviceaccounts/{name}` - **Response**: `v1.ServiceAccount` object ### Patch Service Account - **Method**: PATCH - **Endpoint**: `PATCH /api/v1/namespaces/{namespace}/serviceaccounts/{name}` - **Used For**: Adding/updating annotations (not currently used by operator, but available) ``` -------------------------------- ### Go Struct for SecurityDetails Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/secretrotator-crd.md Defines TLS/SSL configuration for secure Artifactory connections. Use this to specify certificate details and verification preferences. ```go type SecurityDetails struct { Enabled bool `json:"enabled,omitempty"` CertificateSecretName string `json:"certificateSecretName,omitempty"` SecretNamespace string `json:"secretNamespace,omitempty"` InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"` } ``` -------------------------------- ### Secret Operations Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Operations for managing Kubernetes Secrets, including GET, CREATE, UPDATE, DELETE, LIST, and WATCH. ```APIDOC ## Secret Operations ### Description Operations for managing Kubernetes Secrets, including GET, CREATE, UPDATE, DELETE, LIST, and WATCH. ### Get Secret - **Method**: GET - **Endpoint**: `GET /api/v1/namespaces/{namespace}/secrets/{name}` - **Response**: `v1.Secret` object ### Create Secret - **Method**: POST - **Endpoint**: `POST /api/v1/namespaces/{namespace}/secrets` - **Body**: `v1.Secret` object ### Update Secret - **Method**: PUT - **Endpoint**: `PUT /api/v1/namespaces/{namespace}/secrets/{name}` - **Body**: `v1.Secret` object ### Patch Secret - **Method**: PATCH - **Endpoint**: `PATCH /api/v1/namespaces/{namespace}/secrets/{name}` - **Header**: `Content-Type: application/merge-patch+json` or `application/strategic-merge-patch+json` ### Delete Secret - **Method**: DELETE - **Endpoint**: `DELETE /api/v1/namespaces/{namespace}/secrets/{name}` ### List Secrets - **Method**: GET - **Endpoint**: `GET /api/v1/namespaces/{namespace}/secrets` - **Query Params**: `labelSelector`, `fieldSelector`, `limit`, `continue` ``` -------------------------------- ### Kubernetes ListMeta Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/types-reference.md Provides metadata for lists, including resourceVersion and continue tokens. ```go metav1.ListMeta `json:"metadata,omitempty"` ``` -------------------------------- ### Kubernetes Client Dependencies Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/kubernetes-client.md Imports required for Kubernetes client operations, including the client-go library and controller-runtime. ```go import ( "github.com/pkg/errors" "k8s.io/client-go/kubernetes" ctrl "sigs.k8s.io/controller-runtime" ) ``` -------------------------------- ### STS GetCallerIdentity Response XML Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Example XML response from the STS GetCallerIdentity API, used to identify the current AWS caller. ```xml arn:aws:iam::123456789:assumed-role/my-role/session-id AIDAI... 123456789 ... ``` -------------------------------- ### Minimal SecretRotator Configuration Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/configuration.md Use this minimal configuration to set up a basic SecretRotator. It requires namespace selection and at least one generated secret for Artifactory. ```yaml apiVersion: apps.jfrog.com/v1alpha1 kind: SecretRotator metadata: name: my-rotator spec: namespaceSelector: matchLabels: enable-jfrog: "true" artifactoryUrl: artifactory.example.com generatedSecrets: - secretName: artifactory-token secretType: docker ``` -------------------------------- ### SecretRotator Custom Resource Manifest Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/secretrotator-crd.md Example of a SecretRotator Custom Resource manifest. Use this to configure automatic rotation of Artifactory secrets. ```yaml apiVersion: apps.jfrog.com/v1alpha1 kind: SecretRotator metadata: name: artifactory-tokens spec: namespaceSelector: matchLabels: jfrog-operator: enabled artifactoryUrl: artifactory.example.com authType: auto awsRegion: us-west-2 refreshTime: 30m generatedSecrets: - secretName: artifactory-pull-secret secretType: docker - secretName: artifactory-credentials secretType: generic secretMetadata: labels: app: artifactory annotations: description: "Auto-rotated Artifactory credentials" security: enabled: false serviceAccount: name: jfrog-operator-sa namespace: jfrog-operator ``` -------------------------------- ### Sample SecretRotator Manifest Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/README.md This is a sample Kubernetes manifest for the SecretRotator custom resource. Configure parameters like artifactoryUrl, refreshTime, and generatedSecrets according to your environment. ```yaml apiVersion: apps.jfrog.com/v1alpha1 kind: SecretRotator metadata: labels: app.kubernetes.io/name: secretrotators.apps.jfrog.com app.kubernetes.io/instance: secretrotator app.kubernetes.io/created-by: artifactory-secrets-rotator name: secretrotator spec: namespaceSelector: matchLabels: kubernetes.io/metadata.name: jfrog-operator generatedSecrets: - secretName: token-imagepull-secret secretType: docker # - secretName: token-generic-secret # secretType: generic artifactoryUrl: "artifactory.example.com" authType: webIdentity #auto, podIdentity # artifactorySubdomains: [] refreshTime: 30m # serviceAccount: # The default name and namespace will be the operator’s service account name and namespace # name: "" # namespace: "" secretMetadata: annotations: annotationKey: annotationValue labels: labelName: labelValue security: enabled: false secretNamespace: ## NOTE: You can provide either a ca.pem or ca.crt. But make sure that key needs to same as ca.crt or ca.pem in secret certificateSecretName: insecureSkipVerify: false ``` -------------------------------- ### CreateFile Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/operations-api.md Creates a new file or truncates an existing one, writing the provided content to it. The file is closed after the operation. ```APIDOC ## CreateFile ### Description Creates a file with specified content. If the file exists, it will be truncated. ### Signature ```go func CreateFile(filePath, content string) error ``` ### Behavior - Creates or truncates the file - Writes content as string - Closes file ### Returns `error` if operation fails ``` -------------------------------- ### Get SecretRotator Events in JSON Format Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/events-and-errors.md Retrieve events for a specific SecretRotator resource in JSON format for programmatic processing or detailed analysis. This is useful for automation and debugging. ```bash # Get events in JSON format kubectl get events --field-selector involvedObject.name=my-rotator -o json ``` -------------------------------- ### Artifactory Subdomains Configuration Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/configuration.md Configure additional Artifactory URLs for multi-region or multi-instance setups. These subdomains are added to the Docker config JSON auths section and share the same credentials. ```yaml artifactoryUrl: artifactory-primary.example.com artifactorySubdomains: - artifactory-us.example.com - artifactory-eu.example.com - artifactory-apac.example.com ``` -------------------------------- ### Clone Repository Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/terraform/README.md Clone the repository containing the Terraform configuration to your local machine. ```bash git clone https://github.com/jfrog/jfrog-registry-operator.git cd jfrog-registry-operator/terraform ``` -------------------------------- ### EKS Pod Identity Credentials Endpoint Response JSON Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Example JSON response schema for the EKS Pod Identity Credentials endpoint, providing temporary AWS credentials. ```json { "AccessKeyId": "string", "SecretAccessKey": "string", "Token": "string" } ``` -------------------------------- ### Service Account Token Creation (Web Identity Flow) Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/kubernetes-client.md Creates a token for a Service Account, typically used for Web Identity flows with specific audiences and expiration. Requires the namespace, Service Account name, and a TokenRequest object. ```go // In handler/webidentity.go clientset, err := k8sClientSet.GetK8sClient() tokenRequest, err := clientset.CoreV1().ServiceAccounts(namespace).CreateToken( ctx, saName, &authenticationv1.TokenRequest{ Spec: authenticationv1.TokenRequestSpec{ Audiences: []string{operations.AmazonAwsSts}, ExpirationSeconds: ptr.Int64(operations.ServiceAccountExpirationSeconds), }, }, metav1.CreateOptions{}, ) ``` -------------------------------- ### Service Account Lookup Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/kubernetes-client.md Retrieves a Service Account object from Kubernetes, often used to get the Service Account name associated with a Pod. Requires the namespace and Pod name. ```go // In operations/operations.go - GetServiceAccount() clientset, err := k8sClientSet.GetK8sClient() pod, err := clientset.CoreV1().Pods(namespace).Get(ctx, podName, metav1.GetOptions{}) serviceAccount, err := clientset.CoreV1().ServiceAccounts(namespace).Get( ctx, pod.Spec.ServiceAccountName, metav1.GetOptions{}) ``` -------------------------------- ### Identify Removed Namespaces Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/secret-resource.md Identifies namespaces that were previously provisioned but are no longer present in the current selection. This is useful for determining which namespaces need cleanup. ```go removed := getRemovedNamespaces(currentList, []string{"ns1", "ns2", "ns3"}) // ns1 and ns3 were provisioned but are no longer selected // Returns ["ns1", "ns3"] ``` -------------------------------- ### Watch Namespaces Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Watches for changes to namespaces. This endpoint is used for real-time event monitoring. ```go GET /api/v1/namespaces?watch=true ``` -------------------------------- ### Get Signed Request for Web Identity Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/token-management.md Generates a signed AWS STS GetCallerIdentity request using OIDC tokens obtained from a Kubernetes service account. This flow is suitable for IRSA authentication. ```go func GetSignedRequestForWebIdentity( ctx context.Context, tokenDetails *operations.TokenDetails, serviceAccount *corev1.ServiceAccount, recorder record.EventRecorder, clientset *kubernetes.Clientset, secretRotator *v1alpha1.SecretRotator, ) (*http.Request, error) ``` -------------------------------- ### Get IAM Role Max Session Duration with Credential Cache Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/token-management.md Similar to GetMaxSession, but exclusively uses a provided credential cache, suitable for Pod Identity flows where credentials are fetched from a container credentials endpoint. ```Go func GetMaxSessionWithCredentialCache( ctx context.Context, roleArn string, credCache *aws.CredentialsCache, tokenDetails *operations.TokenDetails, ) (*int32, error) ``` -------------------------------- ### Go: Managing Secrets Reconciliation Flow Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/secret-resource.md Illustrates the reconciliation flow for managing secrets, including deleting outdated secrets, creating/updating secrets for each namespace, and cleanup on deletion. This logic is part of the ManagingSecrets() function. ```go // 1. Delete outdated secrets failures := DeleteOutdatedSecrets(ctx, tokenDetails, name, status.ProvisionedNamespaces, client) // 2. For each namespace for _, ns := range tokenDetails.NamespaceList.Items { // 3. Check if secrets are owned existing, _ := GetSecret(ctx, ns.Name, secretName, client) if !IsSecretOwnedBy(existing, name) { // Skip; not owned by this rotator continue } // 4. Create/update with new token err, isCrossNS := CreateOrUpdateSecrets( req, ctx, tokenDetails, rotator, ns, client, scheme, secretName, secretType) } // 5. Cleanup on deletion if rotator.GetDeletionTimestamp() != nil { // Secrets are NOT automatically deleted (finalizer cleanup is custom) } ``` -------------------------------- ### Get Signed Request for Pod Identity Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/token-management.md Generates a signed AWS STS GetCallerIdentity request using temporary credentials obtained from the EKS Pod Identity Agent. This method is for direct temporary credential usage. ```go func GetSignedRequestForPodIdentity( ctx context.Context, tokenDetails *operations.TokenDetails, ) (*http.Request, error) ``` -------------------------------- ### Configure Security TLS Insecure Skip Verify Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/configuration.md Skip TLS certificate verification. This is unsafe and should only be used for testing purposes in non-production environments. ```yaml security: enabled: true insecureSkipVerify: true ``` -------------------------------- ### Get IAM Role Max Session Duration Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/token-management.md Retrieves the maximum session duration for an IAM role. It handles role name extraction from ARN and uses appropriate AWS credential loading based on the execution context (operator SA or external SA). ```Go func GetMaxSession( ctx context.Context, roleArn string, appCreds *aws.CredentialsCache, resourceSAName, resourceSANamespace string, tokenDetails *operations.TokenDetails, ) (*int32, error) ``` -------------------------------- ### TokenDetails Struct Definition Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/operations-api.md Defines the runtime data structure holding all token and configuration details during reconciliation. Includes fields for secret management, namespace information, and Artifactory connection details. ```go type TokenDetails struct { SecretName string GeneratedSecrets []v1alpha1.GeneratedSecret NamespaceList v1.NamespaceList FailedNamespaces map[string]error ProvisionedNamespaces []string TTLInSeconds float64 SecretManagedByNamespaces map[string][]string Username string Token string ArtifactoryUrl string NamespaceSelector labels.Selector RequeueInterval time.Duration DefaultServiceAccountName string DefaultServiceAccountNamespace string RoleMaxSessionDuration *int32 IAMRoleAwsRegion string AuthType string } ``` -------------------------------- ### Secret Keys Constants Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/operations-api.md Defines the keys used for generic and Docker secrets. ```go const ( GenericSecretUser = "user" GenericSecretToken = "token" DockerSecretJSON = ".dockerconfigjson" ) ``` -------------------------------- ### Error Message: No matching namespaces Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/operations-api.md This message signifies that no namespaces matched the configured namespace selector, resulting in the termination of the current reconciliation cycle. ```text Message: "No namespaces match the configured namespace selector, the current reconciliation cycle will end here" ``` -------------------------------- ### List Secrets Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md Lists all secrets in a namespace. Supports filtering by labelSelector, fieldSelector, and pagination with limit and continue. ```go GET /api/v1/namespaces/{namespace}/secrets ``` -------------------------------- ### Create Artifactory Token Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/README.md This function handles the creation of an Artifactory token by making a POST request to the Artifactory API. ```go // internal/handler/auth.go func createArtifactoryToken(httpClient *http.Client, artifactoryURL, username, token string) (string, error) { // createCustomHTTPClient() // POST to /access/api/v1/aws/token // Return username + token return "", nil } ``` -------------------------------- ### Error Message: No secrets defined Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/operations-api.md This message indicates that no secret details have been configured in either spec.generatedSecrets or spec.secretName. ```text Message: "No secrets defined in spec.generatedSecrets and spec.secretName. Please configure secret details." ``` -------------------------------- ### Run Specific E2E Tests Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/tests/README.md Execute specific end-to-end tests by providing a test name. The folder name corresponds to the test name. Extra kuttl arguments can also be passed. ```shell ./kuttl.sh "--test install" ``` -------------------------------- ### SecurityDetails Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/types-reference.md TLS/SSL configuration for Artifactory connections. ```APIDOC ## SecurityDetails ### Description TLS/SSL configuration for Artifactory connections. ### Fields - **Enabled** (bool) - Optional - Enable TLS validation. Defaults to `false`. - **CertificateSecretName** (string) - Optional - Kubernetes secret with certificates. - **SecretNamespace** (string) - Optional - Namespace containing certificate secret. - **InsecureSkipVerify** (bool) - Optional - Skip certificate verification (unsafe). Defaults to `false`. ``` -------------------------------- ### Go Struct for SecretNamespaceFailure Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/secretrotator-crd.md Records details of a failed secret deployment in a specific namespace. Use this to identify and troubleshoot namespace-specific secret creation issues. ```go type SecretNamespaceFailure struct { Namespace string `json:"namespace"` Reason string `json:"reason,omitempty"` } ``` -------------------------------- ### Verify Secrets in Kubernetes Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/terraform/README.md After applying the SecretRotator manifest, use this kubectl command to check for the creation of secrets within the specified Kubernetes namespace. ```bash kubectl get secrets -n ``` -------------------------------- ### API Group Constants Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/types-reference.md Defines constants for the API group, version, and resource kind. ```go const ( Group = "apps.jfrog.com" Version = "v1alpha1" ) var GroupVersion = schema.GroupVersion{Group: Group, Version: Version} var SecretKind = "SecretRotator" ``` -------------------------------- ### Authentication Types Constants Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/operations-api.md Defines constants for different authentication types supported by the operator. ```go const ( PodIdentityAuthType = "podIdentity" WebIdentityAuthType = "webIdentity" AutoAuthType = "auto" ) ``` -------------------------------- ### SigV4a Implementation in Go Source: https://github.com/jfrog/jfrog-registry-operator/blob/master/_autodocs/api-endpoints.md The Go implementation for SigV4a request signing is located in the internal/sign/signer.go file. This code handles the generation of the Authorization header. ```go package sign // Signer implements AWS SigV4a signing. type Signer struct { // ... fields ... } // NewSigner creates a new Signer. func NewSigner() *Signer { // ... implementation ... return &Signer{} } // Sign signs the request with SigV4a. func (s *Signer) Sign(req *http.Request, accessKey, secretKey, region, service string) error { // ... implementation ... return nil } ```