fix: revert namespace enforcement

Makefile

@@ -1,7 +1,7 @@
 # UPDATE_HERE
 # !!!!!!! NOTE: GOEXPERIMENT=nocoverageredesign is temp until 1.23.x
 GO := GOEXPERIMENT=nocoverageredesign GOPROXY=https://proxy.golang.org go
-SOPS_SEC_OPERATOR_VERSION := 0.13.1
+SOPS_SEC_OPERATOR_VERSION := 0.13.0
 
 # https://github.com/kubernetes-sigs/controller-tools/releases
 CONTROLLER_GEN_VERSION := "v0.15.0"

README.md

@@ -23,7 +23,7 @@ encrypted files stored in `git` repository.
 
 | Kubernetes | Sops | Chart | Operator |
 |---|---|---|---|
-| v1.30.x | v3.8.1 | 0.19.1 | 0.13.1 |
+| v1.30.x | v3.8.1 | 0.19.0 | 0.13.0 |
 | v1.29.x | v3.8.1 | 0.18.6 | 0.12.6 |
 | v1.28.x | v3.8.1 | 0.17.4 | 0.11.4 |
 | v1.27.x | v3.7.3 | 0.15.5 | 0.9.5 |
@@ -281,69 +281,6 @@ metadata:
 > previously not managed secret will be replaced by `SopsSecret` owned at the next rescheduled
   reconciliation event.
 
-## Enforcing decryption to one namespace
-
-To enforce decryption and kubernetes `Secrets` creation only to specific `Namespace`, it is possible to
-configure two additional parameters and encrypt in a specific way `SopsSecret` resource, example snippet of
-the raw `SopsSecret` resource:
-
-```yaml
-apiVersion: isindir.github.com/v1alpha3
-kind: SopsSecret
-metadata:
-  name: example-sopssecret
-  namespace: "cicd"
-spec:
-  enforceNamespace: true                   # must be set to true for enforcement to work
-  secretTemplatesEnforcedNamespace: "cicd" # must match to in cluster namespace of the sops.metadata.namespace
-  suspend: false
-  secretTemplates:
-    - name: jenkins-secret
-      labels:
-...
-```
-
-encrypt this file using example command:
-
-```sh
-sops -e --age ${SOPS_AGE_RECIPIENTS} --encrypted-regex secretTemplates jenkins-secrets.yaml > jenkins-secrets.enc.yaml
-```
-> it will encrypt all the fields which contain `secretTemplates` and as both - `secretTemplates` and `secretTemplatesEnforcedNamespace`
-  contain it, bot will be encrypted. The rest of the spec stays untouched - significantly both boolean fields.
-
-Resulting file snippet must look similar to example below:
-
-```yaml
-apiVersion: isindir.github.com/v1alpha3
-kind: SopsSecret
-metadata:
-    name: example-sopssecret
-    namespace: "cicd"
-spec:
-    enforceNamespace: true
-    secretTemplatesEnforcedNamespace: ENC[AES256_GCM,data:AwmSftNeUA==,iv:JtfLsw++XnhS0pHzbuCS9Bi1AY87yDQ+NTZchzYe/Q0=,tag:n2ve4QExIGww0rTNbEdhvQ==,type:str]
-    suspend: false
-    secretTemplates:
-        - name: ENC[AES256_GCM,data:tYU/qdyidyc2/B97nEI=,iv:UQHAVxRWvcBSwGU88ZNF++BbAIpGESsyRvJvCG6VQBA=,tag:Rep2dhnzEYT3+ZWrQpqENQ==,type:str]
-          labels:
-...
-```
-
-if there was attempt to copy secret to another namespace, following log message can be observered:
-
-```
-INFO    controllers.SopsSecret  New child secret creation error {"sopssecret": {"name":"example-sopssecret","namespace":"abc"}, "error": "createKubeSecretFromTemplate(): secret template enforced namespace must be the same as the sopssecret namespace"}
-```
-
-and the status will be as follows:
-
-```
-% kc get sops -A
-NAMESPACE   NAME                 STATUS
-abc         example-sopssecret   New child secret creation error
-cicd        example-sopssecret   Healthy
-```
-
 ## Example procedure to upgrade from one `SopsSecret` API version to another
 
 Please see document here: [SopsSecret API and Operator Upgrade](docs/api_upgrade_example/README.md)

api/v1alpha3/sopssecret_types.go

@@ -22,21 +22,11 @@ type SopsSecretSpec struct {
 	// Secrets template is a list of definitions to create Kubernetes Secrets
 	//+kubebuilder:validation:MinItems=1
 	//+required
-	SecretTemplates []SopsSecretTemplate `json:"secretTemplates"`
+	SecretsTemplate []SopsSecretTemplate `json:"secretTemplates"`
 
 	// This flag tells the controller to suspend the reconciliation of this source.
 	//+optional
 	Suspend bool `json:"suspend,omitempty"`
-
-	// EnforceNamespace can be used to enforce the creation of the secrets in the same namespace as the SopsSecret resource.
-	// Must be used together with Spec.SecretTemplatesEnforcedNamespace
-	//+optional
-	EnforceNamespace bool `json:"enforceNamespace,omitempty"`
-
-	// SecretTemplatesEnforcedNamespace can be used to enforce the creation of the secrets in the same namespace as the SopsSecret resource.
-	// Must have same value as the SopsSecret resource namespace and EnforceNamespace must be set to true.
-	//+optional
-	SecretTemplatesEnforcedNamespace string `json:"secretTemplatesEnforcedNamespace,omitempty"`
 }
 
 // SopsSecretTemplate defines the map of secrets to create

chart/helm3/sops-secrets-operator/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 # UPDATE_HERE
-version: 0.19.1
-appVersion: 0.13.1
+version: 0.19.0
+appVersion: 0.13.0
 type: application
 description: Helm chart deploys sops-secrets-operator
 name: sops-secrets-operator

chart/helm3/sops-secrets-operator/README.md

@@ -134,7 +134,7 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | healthProbes.readiness | object | `{"initialDelaySeconds":5,"periodSeconds":10}` | Readiness probe configuration |
 | image.pullPolicy | string | `"Always"` | Operator image pull policy |
 | image.repository | string | `"isindir/sops-secrets-operator"` | Operator image name |
-| image.tag | string | `"0.13.1"` | Operator image tag |
+| image.tag | string | `"0.13.0"` | Operator image tag |
 | imagePullSecrets | list | `[]` | Secrets to pull image from private docker repository |
 | initImage.pullPolicy | string | `"Always"` | Init container image pull policy |
 | initImage.repository | string | `"ubuntu"` | Init container image name |

chart/helm3/sops-secrets-operator/tests/operator_test.yaml

@@ -31,8 +31,8 @@ tests:
             app.kubernetes.io/instance: sops
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: sops-secrets-operator
-            app.kubernetes.io/version: 0.13.1
-            helm.sh/chart: sops-secrets-operator-0.19.1
+            app.kubernetes.io/version: 0.13.0
+            helm.sh/chart: sops-secrets-operator-0.19.0
 
   # custom name
   - it: should correctly render custome name
@@ -170,7 +170,7 @@ tests:
       # UPDATE_HERE
       - equal:
           path: spec.template.spec.containers[0].image
-          value: isindir/sops-secrets-operator:0.13.1
+          value: isindir/sops-secrets-operator:0.13.0
       - equal:
           path: spec.template.spec.containers[0].imagePullPolicy
           value: Always

chart/helm3/sops-secrets-operator/values.yaml

@@ -13,7 +13,7 @@ image:
   # -- Operator image name
   repository: isindir/sops-secrets-operator
   # -- Operator image tag
-  tag: 0.13.1
+  tag: 0.13.0
   # -- Operator image pull policy
   pullPolicy: Always
 

config/crd/bases/isindir.github.com_sopssecrets.yaml

@@ -535,11 +535,6 @@ spec:
           spec:
             description: SopsSecret Spec definition
             properties:
-              enforceNamespace:
-                description: |-
-                  EnforceNamespace can be used to enforce the creation of the secrets in the same namespace as the SopsSecret resource.
-                  Must be used together with Spec.SecretTemplatesEnforcedNamespace
-                type: boolean
               secretTemplates:
                 description: Secrets template is a list of definitions to create Kubernetes
                   Secrets
@@ -585,11 +580,6 @@ spec:
                   type: object
                 minItems: 1
                 type: array
-              secretTemplatesEnforcedNamespace:
-                description: |-
-                  SecretTemplatesEnforcedNamespace can be used to enforce the creation of the secrets in the same namespace as the SopsSecret resource.
-                  Must have same value as the SopsSecret resource namespace and EnforceNamespace must be set to true.
-                type: string
               suspend:
                 description: This flag tells the controller to suspend the reconciliation
                   of this source.