diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 0000000..525cf82 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,90 @@ +--- +name: "🐛 Bug Report" +description: Create a report to help us improve +labels: [bug] +body: + - type: textarea + id: description + attributes: + label: Describe the bug + description: What is the problem? A clear and concise description of the bug. + validations: + required: true + + - type: textarea + id: current + attributes: + label: Current behavior + description: | + Please include full errors, uncaught exceptions, screenshots, and relevant logs. + Using environment variable JFROG_CLI_LOG_LEVEL="DEBUG" upon running the command will provide more log information. + validations: + required: true + + - type: textarea + id: reproduction + attributes: + label: Reproduction steps + description: | + Provide steps to reproduce the behavior. + validations: + required: false + + - type: textarea + id: expected + attributes: + label: Expected behavior + description: | + What did you expect to happen? + validations: + required: false + + - type: input + id: jfrog-registry-operator-version + attributes: + label: JFrog registry operator version + validations: + required: true + + - type: input + id: package-manager + attributes: + label: Package manager info + description: | + Which package manager name and version is used to build the project? + What's the name and path of the descriptor file (package.json, pom.xml, etc)? + validations: + required: true + + - type: dropdown + id: git-provider + attributes: + label: Git provider + options: + - GitHub + - Bitbucket Server + - GitLab + - Azure DevOps + validations: + required: true + + - type: textarea + id: jfrog-registry-operator-yaml + attributes: + label: JFrog registry operator configuration yaml file + validations: + required: false + + - type: input + id: os-version + attributes: + label: Operating system type and version + validations: + required: true + + - type: input + id: xr-version + attributes: + label: JFrog Xray version + validations: + required: false diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..9bc2730 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,19 @@ +--- +name: ⭐️ Feature request +about: Suggest an idea for this project +title: "" +labels: feature request +assignees: "" +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like to see** +A clear and concise description of the new feature. + +**Describe alternatives you've considered** +If applicable, a clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md new file mode 100644 index 0000000..3750fd7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/question.md @@ -0,0 +1,7 @@ +--- +name: ❓ Question +about: Ask a question +title: "" +labels: question +assignees: "" +--- diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..e5abfbf --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,5 @@ +- [ ] All [tests](https://github.com/jfrog/jfrog-registry-operator#tests) passed. If this feature is not already covered by the tests, I added new tests. +- [ ] This pull request is on the dev branch. +- [ ] I used gofmt for formatting the code before submitting the pull request. +--- + diff --git a/.github/release.yml b/.github/release.yml new file mode 100644 index 0000000..5021017 --- /dev/null +++ b/.github/release.yml @@ -0,0 +1,20 @@ +changelog: + exclude: + labels: + - ignore for release + categories: + - title: Breaking Changes 🚨 + labels: + - breaking change + - title: Exciting New Features 🎉 + labels: + - new feature + - title: Improvements 🌱 + labels: + - improvement + - title: Bug Fixes 🛠 + labels: + - bug + - title: Other Changes 📚 + labels: + - "*" diff --git a/.github/workflows/action-test.yml b/.github/workflows/action-test.yml new file mode 100644 index 0000000..9eec58f --- /dev/null +++ b/.github/workflows/action-test.yml @@ -0,0 +1,32 @@ +name: "GitHub Action Test" +on: + push: + tags-ignore: + - '**' + pull_request: +jobs: + test: + runs-on: ${{ matrix.os }} + defaults: + run: + working-directory: action + strategy: + matrix: + os: [ubuntu-latest, windows-latest, macOS-latest] + fail-fast: false + steps: + # Checkout and install prerequisites + - name: Checkout + uses: actions/checkout@v4 + - name: Setup NodeJS + uses: actions/setup-node@v3 + with: + node-version: "16.x" + + # Install and run tests + - name: Install + run: npm i + - name: Lint + run: npm run lint + - name: Unit tests + run: npm t diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml new file mode 100644 index 0000000..1f6e181 --- /dev/null +++ b/.github/workflows/analysis.yml @@ -0,0 +1,66 @@ +name: "Static Analysis" +on: + push: + tags-ignore: + - '**' + pull_request: +jobs: + Static-Check: + runs-on: ubuntu-latest + steps: + - name: Checkout Source + uses: actions/checkout@v4 + + - name: Install Go + uses: actions/setup-go@v3 + with: + go-version: 1.20.x + + - name: Go Cache + uses: actions/cache@v3 + with: + path: ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: ${{ runner.os }}-go- + + # Generate mocks + - name: Generate mocks + run: go generate ./... + + - name: Static Code Analysis + uses: golangci/golangci-lint-action@v3 + with: + args: | + --timeout 5m --out-${NO_FUTURE}format colored-line-number --enable errcheck,gosimple,govet,ineffassign,staticcheck,typecheck,unused,gocritic,asasalint,asciicheck,errchkjson,exportloopref,forcetypeassert,makezero,nilerr,unparam,unconvert,wastedassign,usestdlibvars + + Go-Sec: + runs-on: ubuntu-latest + env: + GOFLAGS: -buildvcs=false + steps: + - name: Checkout Source + uses: actions/checkout@v4 + + - name: Install Go + uses: actions/setup-go@v3 + with: + go-version: 1.20.x + + - name: Run Gosec Security Scanner + uses: securego/gosec@master + with: + args: -exclude=G204,G301,G302,G304,G306 -exclude-dir=\.*test\.* ./... + + ShellCheck: + name: Shellcheck + runs-on: ubuntu-latest + steps: + - name: Checkout Source + uses: actions/checkout@v4 + + - name: Run ShellCheck + uses: ludeeus/action-shellcheck@master + with: + ignore_paths: + .husky + *test* diff --git a/.github/workflows/frogbot-scan-pull-request.yml b/.github/workflows/frogbot-scan-pull-request.yml new file mode 100644 index 0000000..734f74f --- /dev/null +++ b/.github/workflows/frogbot-scan-pull-request.yml @@ -0,0 +1,123 @@ +name: "Jfrog Registry Operator Scan Pull Request" +on: + pull_request_target: + types: [ opened, synchronize ] +permissions: + pull-requests: write + contents: read +jobs: + scan-pull-request: + runs-on: ubuntu-latest + # A pull request needs to be approved before jfrog-registry-operator scans it. Any GitHub user who is associated with the + # "jfrog-registry-operator" GitHub environment can approve the pull request to be scanned. + environment: jfrog-registry-operator + steps: + - uses: jfrog/jfrog-registry-operator@v2 + env: + JFROG_CLI_LOG_LEVEL: "DEBUG" + # [Mandatory] + # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) + JF_URL: ${{ secrets.OPERATOR_URL }} + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.OPERATOR_ACCESS_TOKEN }} + + # [Mandatory] + # The GitHub token is automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Optional, default: https://api.github.com] + # API endpoint to GitHub + # JF_GIT_API_ENDPOINT: https://github.example.com + + # [Optional] + # By default, the jfrog-registry-operator workflows download the jfrog-registry-operator executable as well as other tools + # needed from https://releases.jfrog.io + # If the machine that runs jfrog-registry-operator has no access to the internet, follow these steps to allow the + # executable to be downloaded from an Artifactory instance, which the machine has access to: + # + # 1. Login to the Artifactory UI, with a user who has admin credentials. + # 2. Create a Remote Repository with the following properties set. + # Under the 'Basic' tab: + # Package Type: Generic + # URL: https://releases.jfrog.io + # Under the 'Advanced' tab: + # Uncheck the 'Store Artifacts Locally' option + # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created. + # JF_RELEASES_REPO: "" + + # [Optional] + # Configure the SMTP server to enable jfrog-registry-operator to send emails with detected secrets in pull request scans. + # SMTP server URL including should the relevant port: (Example: smtp.server.com:8080) + JF_SMTP_SERVER: ${{ secrets.JF_SMTP_SERVER }} + + # [Mandatory if JF_SMTP_SERVER is set] + # The username required for authenticating with the SMTP server. + JF_SMTP_USER: ${{ secrets.JF_SMTP_USER }} + + # [Mandatory if JF_SMTP_SERVER is set] + # The password associated with the username required for authentication with the SMTP server. + JF_SMTP_PASSWORD: ${{ secrets.JF_SMTP_PASSWORD }} + + # [Optional] + # List of comma separated email addresses to receive email notifications about secrets + # detected during pull request scanning. The notification is also sent to the email set + # in the committer git profile regardless of whether this variable is set or not. + JF_EMAIL_RECEIVERS: "eco-system@jfrog.com" + + ########################################################################## + ## If your project uses a 'jfrog-registry-operator-config.yml' file, you can define ## + ## the following variables inside the file, instead of here. ## + ########################################################################## + + # [Mandatory if the two conditions below are met] + # 1. The project uses yarn 2, NuGet or .NET Core to download its dependencies + # 2. The `installCommand` variable isn't set in your jfrog-registry-operator-config.yml file. + # + # The command that installs the project dependencies (e.g "nuget restore") + # JF_INSTALL_DEPS_CMD: "" + + # [Optional, default: "."] + # Relative path to the root of the project in the Git repository + # JF_WORKING_DIR: path/to/project/dir + + # [Optional] + # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches + # JF_WATCHES: ,... + + # [Optional] + # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects + # JF_PROJECT: + + # [Optional, default: "FALSE"] + # Displays all existing vulnerabilities, including the ones that were added by the pull request. + # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE" + + # [Optional, default: "FALSE"] + # When adding new comments on pull requests, keep old comments that were added by previous scans. + # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE" + + # [Optional, default: "TRUE"] + # Fails the jfrog-registry-operator task if any security issue is found. + # JF_FAIL: "FALSE" + + # [Optional] + # Jfrog-registry-operator will download the project dependencies if they're not cached locally. To download the + # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no + # need to set this value, if it is set in the jfrog-registry-operator-config.yml file. + # JF_DEPS_REPO: "" + + # [Optional, Default: "FALSE"] + # If TRUE, Jfrog-registry-operator creates a single pull request with all the fixes. + # If false, Jfrog-registry-operator creates a separate pull request for each fix. + # JF_GIT_AGGREGATE_FIXES: "FALSE" + + # [Optional, Default: "FALSE"] + # Handle vulnerabilities with fix versions only + # JF_FIXABLE_ONLY: "TRUE" + + # [Optional] + # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests + # The following values are accepted: Low, Medium, High or Critical + # JF_MIN_SEVERITY: "" \ No newline at end of file diff --git a/.github/workflows/frogbot-scan-repository.yml b/.github/workflows/frogbot-scan-repository.yml new file mode 100644 index 0000000..d99316c --- /dev/null +++ b/.github/workflows/frogbot-scan-repository.yml @@ -0,0 +1,118 @@ +name: "Jfrog Registry Operator Scan Repository" +on: + workflow_dispatch: + schedule: + # The repository will be scanned once a day at 00:00 GMT. + - cron: "0 0 * * *" +permissions: + contents: write + pull-requests: write + security-events: write +jobs: + scan-repository: + runs-on: ubuntu-latest + name: Scan Repository (${{ matrix.branch }} branch) + strategy: + matrix: + # The repository scanning will be triggered periodically on the following branches. + branch: [ "dev" ] + steps: + - uses: jfrog/jfrog-registry-operator@v2 + env: + JFROG_CLI_LOG_LEVEL: "DEBUG" + # [Mandatory] + # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray) + JF_URL: ${{ secrets.OPERATOR_URL }} + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.OPERATOR_ACCESS_TOKEN }} + + # [Mandatory] + # The GitHub token is automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Mandatory] + # The name of the branch on which jfrog-registry-operator will perform the scan + JF_GIT_BASE_BRANCH: ${{ matrix.branch }} + + # [Optional, default: https://api.github.com] + # API endpoint to GitHub + # JF_GIT_API_ENDPOINT: https://github.example.com + + # [Optional] + # By default, the jfrog-registry-operator workflows download the jfrog-registry-operator executable as well as other tools + # needed from https://releases.jfrog.io + # If the machine that runs jfrog-registry-operator has no access to the internet, follow these steps to allow the + # executable to be downloaded from an Artifactory instance, which the machine has access to: + # + # 1. Login to the Artifactory UI, with a user who has admin credentials. + # 2. Create a Remote Repository with the following properties set. + # Under the 'Basic' tab: + # Package Type: Generic + # URL: https://releases.jfrog.io + # Under the 'Advanced' tab: + # Uncheck the 'Store Artifacts Locally' option + # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created. + # JF_RELEASES_REPO: "" + + ########################################################################## + ## If your project uses a 'jfrog-registry-operator-config.yml' file, you can define ## + ## the following variables inside the file, instead of here. ## + ########################################################################## + + # [Optional, default: "."] + # Relative path to the root of the project in the Git repository + # JF_WORKING_DIR: path/to/project/dir + + # [Optional] + # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches + # JF_WATCHES: ,... + + # [Optional] + # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects + # JF_PROJECT: + + # [Optional, default: "TRUE"] + # Fails the jfrog-registry-operator task if any security issue is found. + # JF_FAIL: "FALSE" + + # [Optional] + # jfrog-registry-operator will download the project dependencies, if they're not cached locally. To download the + # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no + # need to set this value, if it is set in the jfrog-registry-operator-config.yml file. + # JF_DEPS_REPO: "" + + # [Optional] + # Template for the branch name generated by jfrog-registry-operator when creating pull requests with fixes. + # The template must include {BRANCH_NAME_HASH}, to ensure that the generated branch name is unique. + # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. + # JF_BRANCH_NAME_TEMPLATE: "jfrog-registry-operator-{IMPACTED_PACKAGE}-{BRANCH_NAME_HASH}" + + # [Optional] + # Template for the commit message generated by jfrog-registry-operator when creating pull requests with fixes + # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. + # JF_COMMIT_MESSAGE_TEMPLATE: "Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}" + + # [Optional] + # Template for the pull request title generated by jfrog-registry-operator when creating pull requests with fixes. + # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. + # JF_PULL_REQUEST_TITLE_TEMPLATE: "[🐸 Jfrog Registry Operator] Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}" + + # [Optional, Default: "FALSE"] + # If TRUE, jfrog-registry-operator creates a single pull request with all the fixes. + # If FALSE, jfrog-registry-operator creates a separate pull request for each fix. + # JF_GIT_AGGREGATE_FIXES: "FALSE" + + # [Optional, Default: "FALSE"] + # Handle vulnerabilities with fix versions only + # JF_FIXABLE_ONLY: "TRUE" + + # [Optional] + # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests + # The following values are accepted: Low, Medium, High or Critical + # JF_MIN_SEVERITY: "" + + # [Optional, Default: eco-system+jfrog-registry-operator@jfrog.com] + # Set the email of the commit author + # JF_GIT_EMAIL_AUTHOR: "" \ No newline at end of file diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..9b07539 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,164 @@ +name: "Go Tests" + +on: + push: + # Triggers the workflow on labeled PRs only. + pull_request_target: + types: [labeled] + +# Ensures that only the latest commit is running for each PR at a time. +# Ignores this rule for push events. +concurrency: + group: ${{ github.event.pull_request.number || github.sha }} + cancel-in-progress: true +jobs: + Pretest: + if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'push' + runs-on: ubuntu-latest + steps: + - name: Unlabel 'safe to test' + uses: actions-ecosystem/action-remove-labels@v1 + if: ${{ github.event_name != 'push' }} + with: + labels: "safe to test" + + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Install Go + uses: actions/setup-go@v3 + with: + go-version: 1.20.x + + - name: Go Cache + uses: actions/cache@v3 + with: + path: ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: ${{ runner.os }}-go- + + # Generate mocks + - name: Generate mocks + run: go generate ./... + + - name: Lint + run: go vet -v ./... + + tests: + needs: Pretest + name: ${{ matrix.suite.name }} Tests (${{ matrix.os }}) + runs-on: ${{ matrix.os }}-latest + env: + JFROG_CLI_LOG_LEVEL: "DEBUG" + strategy: + fail-fast: false + matrix: + suite: + - name: 'Unit' + + - name: 'Scan Repository' + package: 'scanrepository' + + - name: 'Scan Pull Request' + package: 'scanpullrequest' + + - name: 'Package Handlers' + package: 'packagehandlers' + + os: [ ubuntu, windows, macos ] + steps: + # Configure prerequisites + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Go + uses: actions/setup-go@v3 + with: + go-version: 1.20.x + + - name: Go Cache + uses: actions/cache@v3 + with: + path: ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + + - name: Install npm + uses: actions/setup-node@v3 + with: + node-version: "16" + + - name: Setup Python3 + uses: actions/setup-python@v4 + with: + python-version: "3.x" + + - name: Install python components + run: python -m pip install pipenv poetry + + - name: Install dotnet + uses: actions/setup-dotnet@v3 + with: + dotnet-version: "6.x" + + # Generate mocks + - name: Generate mocks + run: go generate ./... + if: ${{ matrix.suite.name != 'Unit' }} + + - name: Run Tests + if: ${{ matrix.suite.name != 'GitHub Integration' || matrix.os == 'ubuntu' }} + run: go test github.com/jfrog/jfrog-registry-operator/${{ matrix.suite.package }} -v -race -timeout 30m -cover + env: + JF_URL: ${{ secrets.PLATFORM_URL }} + JF_ACCESS_TOKEN: ${{ secrets.PLATFORM_ADMIN_TOKEN }} + + github-integration: + name: GitHub Integration Tests + needs: Pretest + runs-on: ubuntu-latest + env: + JFROG_CLI_LOG_LEVEL: "DEBUG" + OPERATOR_TESTS_GITHUB_TOKEN: ${{ secrets.OPERATOR_TESTS_GITHUB_TOKEN }} + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Build JFrog Registry Operator + run: buildscripts/build.sh + + - name: Run Tests + run: go test github_test.go integrationutils.go commands.go -v -race -timeout 30m -cover + env: + JF_URL: ${{ secrets.PLATFORM_URL }} + JF_ACCESS_TOKEN: ${{ secrets.PLATFORM_ADMIN_TOKEN }} + OPERATOR_TESTS_GITHUB_TOKEN: ${{ secrets.OPERATOR_TESTS_GITHUB_TOKEN }} + + azure-integration: + name: Azure Integration Tests + needs: Pretest + runs-on: ${{ matrix.os }}-latest + strategy: + fail-fast: false + matrix: + os: [ ubuntu, windows, macos ] + env: + JFROG_CLI_LOG_LEVEL: "DEBUG" + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Build JFrog Registry Operator + run: buildscripts/build.sh + + - name: Run Tests + run: go test azure_test.go integrationutils.go commands.go -v -race -timeout 30m -cover + env: + JF_URL: ${{ secrets.PLATFORM_URL }} + JF_ACCESS_TOKEN: ${{ secrets.PLATFORM_ADMIN_TOKEN }} + OPERATOR_TESTS_AZURE_TOKEN: ${{ secrets.OPERATOR_TESTS_AZURE_TOKEN }} diff --git a/.github/workflows/update-v2-tag.yml b/.github/workflows/update-v2-tag.yml new file mode 100644 index 0000000..8208b48 --- /dev/null +++ b/.github/workflows/update-v2-tag.yml @@ -0,0 +1,19 @@ +name: "Update v2 Tag" +on: + release: + types: [published] + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Update v2 tag + run: git tag -f v2 + - name: Push changes + uses: ad-m/github-push-action@master + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + tags: true + force: true diff --git a/.github/workflows/validate-pr-target-branch.yml b/.github/workflows/validate-pr-target-branch.yml new file mode 100644 index 0000000..1ee921b --- /dev/null +++ b/.github/workflows/validate-pr-target-branch.yml @@ -0,0 +1,19 @@ +name: Validate Pull Request Target Branch + +on: + pull_request_target: + types: + - opened + - reopened + - synchronize + +jobs: + validate-target-branch: + runs-on: ubuntu-latest + steps: + - name: Check Target Branch + run: | + if [ "${{ github.base_ref }}" != "dev" ]; then + echo "Pull requests must target the 'dev' branch." + exit 1 + fi diff --git a/api/v1alpha1/secretrotator_types.go b/api/v1alpha1/secretrotator_types.go index 3310ee8..2934c45 100755 --- a/api/v1alpha1/secretrotator_types.go +++ b/api/v1alpha1/secretrotator_types.go @@ -92,7 +92,6 @@ type SecretRotatorStatus struct { } // ExternalSecretCreationPolicy defines rules on how to create the resulting Secret. - // ExternalSecretTemplate defines a blueprint for the created Secret resource. // we can not use native corev1.Secret, it will have empty ObjectMeta values: https://github.com/kubernetes-sigs/controller-tools/issues/448