diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 14fa7fd3..e7bb9bd4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -11,8 +11,11 @@ jobs: name: CI environment: ci-cd + # UPDATE_HERE + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on runs-on: ubuntu-20.04 env: + # UPDATE_HERE # https://hub.docker.com/r/rancher/k3s/tags K3S_VERSION: v1.29.1-k3s1 # https://github.com/helm-unittest/helm-unittest/releases @@ -20,11 +23,13 @@ jobs: steps: + # UPDATE_HERE - uses: actions/checkout@v4 name: Check out code + # UPDATE_HERE - name: Install asdf tools - uses: asdf-vm/actions/install@v2 + uses: asdf-vm/actions/install@v3 - name: install gpg2 run: | @@ -161,18 +166,22 @@ jobs: echo "IMAGE_LATEST_NAME=$(make image_latest_name)" >> $GITHUB_ENV echo "IMAGE_CACHE_NAME=$(make image_cache_name)" >> $GITHUB_ENV + # UPDATE_HERE - name: Set up QEMU uses: docker/setup-qemu-action@v3 + # UPDATE_HERE - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + # UPDATE_HERE - name: Log in to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASS }} + # UPDATE_HERE - name: Docker build uses: docker/build-push-action@v5 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8a30cdac..fc44fe6c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,13 +10,17 @@ jobs: name: Release environment: ci-cd - runs-on: ubuntu-20.04 + # UPDATE_HERE + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on + runs-on: ubuntu-22.04 env: + # UPDATE_HERE # https://github.com/github/hub/releases HUB_VERSION: 2.14.2 steps: + # UPDATE_HERE - uses: actions/checkout@v4 name: Check out code with: @@ -39,9 +43,10 @@ jobs: run: | echo "Skip release, tag found for ${VERSION}" + # UPDATE_HERE - name: Install asdf tools if: env.SKIP_RELEASE == '' - uses: asdf-vm/actions/install@v2 + uses: asdf-vm/actions/install@v3 - name: install hub if: env.SKIP_RELEASE == '' @@ -51,14 +56,17 @@ jobs: chmod +x hub-linux-amd64-${HUB_VERSION}/bin/hub sudo mv hub-linux-amd64-${HUB_VERSION}/bin/hub /usr/local/bin/ + # UPDATE_HERE - name: Set up QEMU if: env.SKIP_RELEASE == '' uses: docker/setup-qemu-action@v3 + # UPDATE_HERE - name: Set up Docker Buildx if: env.SKIP_RELEASE == '' uses: docker/setup-buildx-action@v3 + # UPDATE_HERE - name: Log in to Docker Hub if: env.SKIP_RELEASE == '' uses: docker/login-action@v3 @@ -75,6 +83,7 @@ jobs: git-chglog "${SOPS_SEC_OPERATOR_VERSION}" > chglog.tmp hub release create -F chglog.tmp "${SOPS_SEC_OPERATOR_VERSION}" + # UPDATE_HERE - name: Docker build if: env.SKIP_RELEASE == '' uses: docker/build-push-action@v5 diff --git a/.github/workflows/reviewdog.yaml b/.github/workflows/reviewdog.yaml index 2b1afad8..2df8ca80 100644 --- a/.github/workflows/reviewdog.yaml +++ b/.github/workflows/reviewdog.yaml @@ -4,19 +4,25 @@ on: [pull_request] jobs: golangci-lint: name: runner / golangci-lint - runs-on: ubuntu-latest + # UPDATE_HERE + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on + runs-on: ubuntu-22.04 steps: + # UPDATE_HERE - name: Check out code into the Go module directory uses: actions/checkout@v4 + # UPDATE_HERE - name: golangci-lint uses: reviewdog/action-golangci-lint@v2 with: golangci_lint_flags: "--timeout=4m" + # UPDATE_HERE - name: action-lint uses: reviewdog/action-actionlint@v1 + # UPDATE_HERE - name: docker hadolint uses: reviewdog/action-hadolint@v1 with: diff --git a/.tool-versions b/.tool-versions index ce929f2d..684d9f3b 100644 --- a/.tool-versions +++ b/.tool-versions @@ -2,7 +2,7 @@ # https://github.com/kubernetes-sigs/kubebuilder/releases kubebuilder 3.14.0 # https://golang.org/dl/ -golang 1.21.6 +golang 1.21.7 # https://github.com/mozilla/sops/releases sops 3.8.1 # https://github.com/kubernetes-sigs/kustomize/releases @@ -16,11 +16,11 @@ kubectl 1.29.1 helm 3.14.0 # https://github.com/norwoodj/helm-docs/releases helm-docs 1.12.0 -# https://github.com/instrumenta/kubeval/releases -kubeval v0.16.1 +# https://github.com/yannh/kubeconform/releases +kubeconform 0.6.4 # https://github.com/git-chglog/git-chglog/releases git-chglog 0.15.4 # https://github.com/golangci/golangci-lint/releases -golangci-lint 1.55.2 +golangci-lint 1.56.1 # https://github.com/kubernetes-sigs/controller-tools/releases #kube-controller-tools 0.13.0 diff --git a/Dockerfile b/Dockerfile index 2a205191..81bbcb1a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,10 +7,12 @@ FROM ubuntu:noble-20240114 as asdf-builder # UPDATE_HERE ARG ASDF_VERSION=v0.14.0 +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + # Install build tools RUN apt-get -y update \ && apt-get -y install build-essential \ - && apt-get -y install autoconf automake gdb git libffi-dev zlib1g-dev libssl-dev curl \ + && apt-get -y install autoconf automake gdb git libffi-dev zlib1g-dev libssl-dev curl wget \ && apt-get clean && rm -rf /var/lib/apt/lists/* # Install asdf @@ -29,7 +31,7 @@ RUN git config --global user.email "you@example.com" \ WORKDIR /root COPY .tool-versions . -RUN awk '$0 !~ /^#/ {print $1}' ~/.tool-versions|xargs -i asdf plugin add {} \ +RUN awk '$0 !~ /^#/ {print $1}' .tool-versions|xargs -I{} asdf plugin add {} \ && asdf install && asdf reshim ENV PATH "/root/.asdf/shims:/root/.asdf/bin:$PATH" diff --git a/Makefile b/Makefile index a82d1e33..e711aa29 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ SOPS_SEC_OPERATOR_VERSION := 0.12.2 # https://github.com/kubernetes-sigs/controller-tools/releases CONTROLLER_GEN_VERSION := "v0.14.0" # https://github.com/kubernetes-sigs/controller-runtime/releases -CONTROLLER_RUNTIME_VERSION := "v0.17.0" +CONTROLLER_RUNTIME_VERSION := "v0.17.1" # https://github.com/kubernetes-sigs/kustomize/releases KUSTOMIZE_VERSION := "v5.3.0" # use `setup-envtest list` to obtain the list of available versions @@ -13,7 +13,7 @@ KUSTOMIZE_VERSION := "v5.3.0" # https://github.com/kubernetes-sigs/controller-runtime/issues/1571 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. # https://storage.googleapis.com/kubebuilder-tools -ENVTEST_K8S_VERSION := "1.29.0" +ENVTEST_K8S_VERSION := "1.29.1" # Use existing cluster instead of starting processes USE_EXISTING_CLUSTER ?= true @@ -128,7 +128,7 @@ lint: ## Run golangci-lint .PHONY: update-here update-here: ## Helper target to start editing all occurances with UPDATE_HERE. @echo "Update following files for release:" - @grep --color -nHR UPDATE_HERE . + @git grep --color -H UPDATE_HERE | sed -e 's/:.*//' | sort -u .PHONY: envtest-list envtest-list: envtest ## List of the available setup-envtest versions. diff --git a/README.md b/README.md index 770f5833..8ad86a4b 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ CRs, inspired by [Bitnami SealedSecrets](https://github.com/bitnami-labs/sealed- [sops](https://github.com/mozilla/sops). SopsSecret CR defines multiple kubernetes Secret resources. It supports managing kubernetes Secrets with annotations and labels, that allows using these kubernetes secrets as [Jenkins Credentials](https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/). -The SopsSecret resources can be deployed by [Weaveworks Flux GitOps CD](https://fluxcd.io/) and +The SopsSecret resources can be deployed by [Flux GitOps CD](https://fluxcd.io/) and encrypted using [sops](https://github.com/mozilla/sops) for AWS, GCP, Azure or on-prem hosted kubernetes clusters. Using `sops` greatly simplifies changing encrypted files stored in `git` repository. @@ -310,9 +310,9 @@ Projects and tools inspired development of `sops-secrets-operator`: * [sops](https://github.com/mozilla/sops) * [Configuring AWS KMS for use with sops](https://github.com/mozilla/sops#26assuming-roles-and-using-kms-in-various-aws-accounts) * [helm secrets plugin](https://github.com/jkroepke/helm-secrets) -* [kiam](https://github.com/uswitch/kiam) - in maintenance mode now * [kube2iam](https://github.com/jtblin/kube2iam) -* [Weaveworks Flux GitOps CD](https://fluxcd.io/) - flux supports `sops` out of the box + * [kiam](https://github.com/uswitch/kiam) - in ABANDONED mode now +* [Flux GitOps CD](https://fluxcd.io/) - flux supports `sops` out of the box * [Flux github repositories](https://github.com/fluxcd) * [Flux sops native integration documentation](https://fluxcd.io/flux/guides/mozilla-sops/) * [Jenkins Configuration as Code](https://jenkins.io/projects/jcasc/) @@ -323,12 +323,12 @@ Projects and tools inspired development of `sops-secrets-operator`: * [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder) * [operator-sdk](https://github.com/operator-framework/operator-sdk) -## Similar tools +## Alternative tools * [Kubernetes external secrets](https://github.com/external-secrets/external-secrets) +* [Vault Secrets Operator](https://github.com/ricoberger/vault-secrets-operator) * [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) * [Secrets Store CSI driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver) * [Kamus](https://kamus.soluto.io/) -* [Sops Operator](https://github.com/craftypath/sops-operator) * [Tesoro](https://github.com/kapicorp/tesoro) -* [Vault Secrets Operator](https://github.com/ricoberger/vault-secrets-operator) +* [Sops Operator](https://github.com/craftypath/sops-operator) diff --git a/chart/helm2/sops-secrets-operator/.helmignore b/chart/helm2/sops-secrets-operator/.helmignore deleted file mode 100644 index 6378bc99..00000000 --- a/chart/helm2/sops-secrets-operator/.helmignore +++ /dev/null @@ -1,29 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ -# Custom -qqq.* -abc.* -*.qqq -*.abc -*.vim -Makefile diff --git a/chart/helm2/sops-secrets-operator/Chart.yaml b/chart/helm2/sops-secrets-operator/Chart.yaml deleted file mode 100644 index d9735f09..00000000 --- a/chart/helm2/sops-secrets-operator/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -version: 0.5.3 -appVersion: 0.1.8 -description: sops secrets operator -name: sops-secrets-operator -sources: -- https://github.com/isindir/sops-secrets-operator.git -maintainers: -- name: isindir - email: isindir@users.sf.net diff --git a/chart/helm2/sops-secrets-operator/Makefile b/chart/helm2/sops-secrets-operator/Makefile deleted file mode 100644 index e5179d41..00000000 --- a/chart/helm2/sops-secrets-operator/Makefile +++ /dev/null @@ -1,45 +0,0 @@ -.PHONY: all dep list test - -CHART_NAME?=$(shell cat Chart.yaml | awk 'BEGIN { FS=": " } $$0~/^name:/ { gsub(/['\'',]/, ""); print $$2; }') -VERSION_TAG?=$(shell cat Chart.yaml | awk 'BEGIN { FS=": " } $$0~/^version/ { gsub(/['\'',]/, ""); print $$2; }') - -SHELL=/bin/bash - -## all: run all test targets -all: echo lint test validate - -## versions: show currently installed tool versions -versions: - helm version ; echo - helm plugin list | grep unittest ; echo - kubeval --version - @echo '--------------------' - -## echo: print chart information -echo: - @echo '-=-=-=-=-=-=-=-=-=-=- "${CHART_NAME}" version: "${VERSION_TAG}" -=-=-=-=-=-=-=-=-=-=-' - -## test: run unittests -test: - helm unittest --color . - @echo '--------------------' - -## lint: lint helm chart -lint: - helm lint . - @echo '--------------------' - -## validate: validate rendered chart templates using 'kubeval' -validate: - helm template . | kubeval --strict --schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/ --ignore-missing-schemas --force-color - - @echo '--------------------' - -## docs: generate chart documentation to stdout, if firgate is installed -docs: - frigate gen . - -.PHONY: help -## help: prints this help message -help: - @echo "Usage:" - @sed -n 's/^##//p' ${MAKEFILE_LIST} | column -t -s ':' | sed -e 's/^/ /' diff --git a/chart/helm2/sops-secrets-operator/README.md b/chart/helm2/sops-secrets-operator/README.md deleted file mode 100644 index a36f6393..00000000 --- a/chart/helm2/sops-secrets-operator/README.md +++ /dev/null @@ -1,128 +0,0 @@ -# !!! Depricated !!! - -Development of helm chart for helm v2 is stopped. - -# sops-secrets-operator - -Installs [sops-secrets-operator](https://github.com/isindir/sops-secrets-operator.git) to provide encrypted secrets in Weaveworks GitOps Flux environment. - -## TL;DR; - -```console -$ kubectl create namespace sops - -$ kubectl apply -f deploy/crds/isindir_v1alpha1_sopssecret_crd.yaml - -$ helm upgrade --install sops chart/sops-secrets-operator/ \ - --namespace sops -f custom.values.yaml -``` - -> where `custom.values.yaml` must customise deployment and configure access to Cloud KMS - -* AWS is supported via `kiam` namespace and pod annotations or via [IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html) -* GCP is supported via service account secret which allows decryption using GCP KMS -* GPG is supported via secrets with GPG configuration -* Azure is supported via a Service principal plus a secret - -## Introduction - -This chart bootstraps a [sops-secrets-operator](https://github.com/isindir/sops-secrets-operator.git) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -## Prerequisites - - Kubernetes 1.12+ - - helm 2.+ - -## Installing the Chart - -### AWS - -* Deploy [kiam](https://github.com/uswitch/kiam) using [kiam chart](https://github.com/helm/charts/tree/master/stable/kiam) -* Create IAM assume role which allows to use KMS key for decryption -* Create Kubernetes namespace for operator deployment, with kiam annotation -* Apply `sops-secrets-operator` CRD -* Deploy helm chart - -### GCP - -* Create GCP Service Account which allows to use KMS to decrypt -* Create custom values file in a following format: - -```yaml -gcp: - enabled: true - svcAccSecret: |- - { - "type": "service_account", - ... - } -``` - -* Create Kubernetes namespace for operator deployment -* Apply `sops-secrets-operator` CRD -* Deploy helm chart specifying extra values file - -### Azure - -* Create a KeyVault if you don't have one already -* Create a Key in that KeyVault -* Create Service principal with permissions to use the key for Encryption/Decryption - * follow the [SOPS documentation](https://github.com/mozilla/sops#encrypting-using-azure-key-vault) -* Either put Tenant ID, Client ID and Client Secret for the Service Principal in your custom values.yaml file or create a Kubernetes Secret with the same information and put the name of that secret in your values.yaml. Enable Azure in the Helm Chart by setting `azure.enabled: true` in values.yaml. - -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console -$ helm delete --purge sops -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration - -The following table lists the configurable parameters of the Sops-secrets-operator chart and their default values. - -| Parameter | Description | Default | -| ------------------------ | ----------------------- | -------------- | -| `replicaCount` | Deployment replica count - should not be modified | `1` | -| `image.repository` | Operator image | `"isindir/sops-secrets-operator"` | -| `image.tag` | Operator image tag | `"0.1.8"` | -| `image.pullPolicy` | Operator image pull policy | `"Always"` | -| `imagePullSecrets` | Secrets to pull image from private docker repository | `[]` | -| `nameOverride` | Overrides auto-generated short resource name | `""` | -| `fullnameOverride` | Overrides auto-generated long resource name | `""` | -| `podAnnotations` | Annotations to be added to operator pod | `{}` | -| `serviceAccount.annotations` | Annotations to be added to the service account | `{}` | -| `gpg.enabled` | If `true` gcp secret will be created from provided value and mounted as environment variable | `false` | -| `gpg.secret1` | Name of the secret to create - will override default secret name if specified | `"gpg1"` | -| `gpg.secret2` | Name of the secret to create - will override default secret name if specified | `"gpg2"` | -| `gcp.enabled` | Node labels for operator pod assignment | `false` | -| `gcp.svcAccSecretCustomName` | Name of the secret to create - will override default secret name if specified | `""` | -| `gcp.svcAccSecret` | If `gcp.enabled` is `true`, this value must be specified as gcp service account secret json payload | `""` | -| `azure.enabled` | If true azure keyvault will be used | `false` | -| `azure.tenantId` | Tenantid of azure service principal to use | `""` | -| `azure.clientId` | Clientid (application id) of azure service principal to use | `""` | -| `azure.clientSecret` | Client secret of azure service principal | `""` | -| `azure.existingSecretName` | Name of a pre-existing secret containing azure service principal credentials (clientid, clientsecret, tenantid) | `""` | -| `secretsAsEnvVars` | Configure custom secrets to be used as environment variables at runtime, see values.yaml | `[]` | -| `secretsAsFiles` | Configure custom secrets to be mounted at runtime, see values.yaml | `[]` | -| `resources` | Operator container resources | `{}` | -| `nodeSelector` | Node selector to use for pod configuration | `{}` | -| `securityContext.enabled` | Enable securitycontext | `false` | -| `securityContext.runAsUser` | Uid to run as | `1000` | -| `securityContext.runAsGroup` | Gid to run as | `3000` | -| `securityContext.fsGroup` | Fs group | `2000` | -| `tolerations` | Tolerations to be applied to operator pod | `[]` | -| `affinity` | Node affinity for pod assignment | `{}` | -| `rbac.enabled` | Create and use rbac resources | `true` | -| `extraEnv` | A list of additional environment variables | `[]` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, - -> **Tip**: You can use the default [values.yaml](values.yaml) - ---- -_Documentation generated by [Frigate](https://frigate.readthedocs.io)._ diff --git a/chart/helm2/sops-secrets-operator/templates/NOTES.txt b/chart/helm2/sops-secrets-operator/templates/NOTES.txt deleted file mode 100644 index e69de29b..00000000 diff --git a/chart/helm2/sops-secrets-operator/templates/_helpers.tpl b/chart/helm2/sops-secrets-operator/templates/_helpers.tpl deleted file mode 100644 index 4bff9a58..00000000 --- a/chart/helm2/sops-secrets-operator/templates/_helpers.tpl +++ /dev/null @@ -1,45 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "sops-secrets-operator.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "sops-secrets-operator.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "sops-secrets-operator.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "sops-secrets-operator.labels" -}} -app.kubernetes.io/name: {{ include "sops-secrets-operator.name" . }} -helm.sh/chart: {{ include "sops-secrets-operator.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} diff --git a/chart/helm2/sops-secrets-operator/templates/azure_secret.yaml b/chart/helm2/sops-secrets-operator/templates/azure_secret.yaml deleted file mode 100644 index b648ed38..00000000 --- a/chart/helm2/sops-secrets-operator/templates/azure_secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and .Values.azure.enabled (not .Values.azure.existingSecretName) }} -kind: Secret -apiVersion: v1 -metadata: - name: {{ include "sops-secrets-operator.name" . }}-azure-secret - labels: -{{ include "sops-secrets-operator.labels" . | indent 4 }} - app.kubernetes.io/name: {{ include "sops-secrets-operator.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} -type: Opaque -stringData: - tenantId: {{ .Values.azure.tenantId }} - clientId: {{ .Values.azure.clientId }} - clientSecret: {{ .Values.azure.clientSecret }} -{{- end }} diff --git a/chart/helm2/sops-secrets-operator/templates/cluster_role.yaml b/chart/helm2/sops-secrets-operator/templates/cluster_role.yaml deleted file mode 100644 index a9fca4d6..00000000 --- a/chart/helm2/sops-secrets-operator/templates/cluster_role.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.rbac.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "sops-secrets-operator.fullname" . }} - labels: -{{ include "sops-secrets-operator.labels" . | indent 4 }} -rules: -- apiGroups: - - "" - resources: - - configmaps - - secrets - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create -- apiGroups: - - isindir.github.com - resources: - - '*' - verbs: - - '*' -{{- end }} diff --git a/chart/helm2/sops-secrets-operator/templates/cluster_role_binding.yaml b/chart/helm2/sops-secrets-operator/templates/cluster_role_binding.yaml deleted file mode 100644 index b4bf4beb..00000000 --- a/chart/helm2/sops-secrets-operator/templates/cluster_role_binding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.rbac.enabled }} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: -metadata: - name: {{ include "sops-secrets-operator.fullname" . }} - labels: -{{ include "sops-secrets-operator.labels" . | indent 4 }} -subjects: -- kind: ServiceAccount - name: {{ include "sops-secrets-operator.fullname" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ include "sops-secrets-operator.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/chart/helm2/sops-secrets-operator/templates/gcp_secret.yaml b/chart/helm2/sops-secrets-operator/templates/gcp_secret.yaml deleted file mode 100644 index 99349da7..00000000 --- a/chart/helm2/sops-secrets-operator/templates/gcp_secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.gcp.enabled }} -kind: Secret -apiVersion: v1 -metadata: -{{- if .Values.gcp.svcAccSecretCustomName }} - name: {{ .Values.gcp.svcAccSecretCustomName }} -{{- else }} - name: {{ include "sops-secrets-operator.name" . }}-gcp-secret -{{- end }} - labels: -{{ include "sops-secrets-operator.labels" . | indent 4 }} -type: Opaque -stringData: - key.json: |- -{{ .Values.gcp.svcAccSecret | indent 4 }} -{{- end }} diff --git a/chart/helm2/sops-secrets-operator/templates/operator.yaml b/chart/helm2/sops-secrets-operator/templates/operator.yaml deleted file mode 100644 index 6fb180e8..00000000 --- a/chart/helm2/sops-secrets-operator/templates/operator.yaml +++ /dev/null @@ -1,162 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "sops-secrets-operator.fullname" . }} - labels: -{{ include "sops-secrets-operator.labels" . | indent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "sops-secrets-operator.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: -{{- if .Values.podAnnotations }} - annotations: -{{ toYaml .Values.podAnnotations | indent 8 }} -{{- end }} - labels: - app.kubernetes.io/name: {{ include "sops-secrets-operator.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "sops-secrets-operator.fullname" . }} - {{- if .Values.gpg.enabled }} - initContainers: - - name: init-myservice - image: debian:buster - imagePullPolicy: Always - command: ['/bin/sh', '-c', 'cp -Lr /var/secrets/gpg-secrets/* /var/secrets/gpg/'] - volumeMounts: - - mountPath: /var/secrets/gpg - name: sops-gpg - - mountPath: /var/secrets/gpg-secrets - name: sops-operator-gpg-keys1 - - mountPath: /var/secrets/gpg-secrets/private-keys-v1.d - name: sops-operator-gpg-keys2 - {{- end }} - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if or .Values.gcp.enabled .Values.gpg.enabled .Values.secretsAsFiles }} - volumeMounts: - {{- end }} - {{- if .Values.gcp.enabled }} - - mountPath: /var/secrets/google - name: sops-operator-gke-svc-account - {{- end }} - {{- if .Values.gpg.enabled }} - - mountPath: /var/secrets/gpg - name: sops-gpg - - mountPath: /var/secrets/gpg-secrets - name: sops-operator-gpg-keys1 - - mountPath: /var/secrets/gpg-secrets/private-keys-v1.d - name: sops-operator-gpg-keys2 - {{- end }} - {{- range .Values.secretsAsFiles }} - - name: {{ .name }} - mountPath: {{ .mountPath }} - readOnly: true - {{- end }} - command: - - /usr/local/bin/manager - args: - #- "--metrics-addr=127.0.0.1:8080" - - "--enable-leader-election" - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - {{- if .Values.gcp.enabled }} - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/secrets/google/key.json - {{- end }} - {{- if .Values.gpg.enabled }} - - name: GNUPGHOME - value: /var/secrets/gpg - {{- end }} - {{- if .Values.azure.enabled }} - {{- $secretname := printf "%s-azure-secret" (include "sops-secrets-operator.name" .) -}} - {{- if .Values.azure.existingSecretName }} - {{- $secretname = .Values.azure.existingSecretName -}} - {{- end }} - - name: AZURE_TENANT_ID - valueFrom: - secretKeyRef: - name: {{ $secretname }} - key: tenantId - - name: AZURE_CLIENT_ID - valueFrom: - secretKeyRef: - name: {{ $secretname }} - key: clientId - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ $secretname }} - key: clientSecret - {{- end }} - {{- range .Values.secretsAsEnvVars }} - - name: {{ .name }} - valueFrom: - secretKeyRef: - name: {{ .secretName }} - key: {{ .secretKey }} - {{- end }} - {{- range $env := .Values.extraEnv }} - - name: {{ .name }} - value: {{ .value | quote }} - {{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- if or .Values.gcp.enabled .Values.gpg.enabled .Values.secretsAsFiles }} - volumes: - {{- end }} - {{- if .Values.gcp.enabled }} - - name: sops-operator-gke-svc-account - secret: - {{- if .Values.gcp.svcAccSecretCustomName }} - secretName: {{ .Values.gcp.svcAccSecretCustomName }} - {{- else }} - secretName: {{ include "sops-secrets-operator.name" . }}-gcp-secret - {{- end }} - {{- end }} - {{- if .Values.gpg.enabled }} - - name: sops-operator-gpg-keys1 - secret: - secretName: {{ .Values.gpg.secret1 }} - - name: sops-operator-gpg-keys2 - secret: - secretName: {{ .Values.gpg.secret2 }} - - name: sops-gpg - emptyDir: {} - {{- end }} - {{- range .Values.secretsAsFiles }} - - name: {{ .name }} - secret: - secretName: {{ .secretName }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - runAsGroup: {{ .Values.securityContext.runAsGroup }} - fsGroup: {{ .Values.securityContext.fsGroup }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/chart/helm2/sops-secrets-operator/templates/service_account.yaml b/chart/helm2/sops-secrets-operator/templates/service_account.yaml deleted file mode 100644 index d3ef1382..00000000 --- a/chart/helm2/sops-secrets-operator/templates/service_account.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.rbac.enabled }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "sops-secrets-operator.fullname" . }} -{{- with .Values.serviceAccount.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} - labels: -{{ include "sops-secrets-operator.labels" . | indent 4 }} -{{- end }} diff --git a/chart/helm2/sops-secrets-operator/templates/tests/test-connection.yaml b/chart/helm2/sops-secrets-operator/templates/tests/test-connection.yaml deleted file mode 100644 index 78737943..00000000 --- a/chart/helm2/sops-secrets-operator/templates/tests/test-connection.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "sops-secrets-operator.fullname" . }}-test-connection" - labels: -{{ include "sops-secrets-operator.labels" . | indent 4 }} - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: wget - image: busybox - command: ['kubectl'] - args: - - 'get' - - 'pods' - restartPolicy: Never diff --git a/chart/helm2/sops-secrets-operator/values.yaml b/chart/helm2/sops-secrets-operator/values.yaml deleted file mode 100644 index 32e51b0b..00000000 --- a/chart/helm2/sops-secrets-operator/values.yaml +++ /dev/null @@ -1,85 +0,0 @@ -# Default values for sops-secrets-operator. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 # Deployment replica count - should not be modified - -image: - repository: isindir/sops-secrets-operator # Operator image - tag: 0.1.8 # Operator image tag - pullPolicy: Always # Operator image pull policy - -imagePullSecrets: [] # Secrets to pull image from private docker repository -nameOverride: "" # Overrides auto-generated short resource name -fullnameOverride: "" # Overrides auto-generated long resource name - -# aws -podAnnotations: {} # Annotations to be added to operator pod - -serviceAccount: - annotations: {} # Annotations to be added to the service account - -gpg: - enabled: false # If `true` GCP secret will be created from provided value and mounted as environment variable - secret1: gpg1 # Name of the secret to create - will override default secret name if specified - secret2: gpg2 # Name of the secret to create - will override default secret name if specified - -gcp: - enabled: false # Node labels for operator pod assignment - svcAccSecretCustomName: '' # Name of the secret to create - will override default secret name if specified - svcAccSecret: '' # If `gcp.enabled` is `true`, this value must be specified as GCP service account secret json payload - -# Azure KeyVault -# If you enable this, you must either specify clientId, tenantId and clientSecret in values.yaml or you can reference -# a secret you have created yourself via another means by specifying a name in existingSecretName -azure: - enabled: false # if true Azure KeyVault will be used - # Specify your credentials here or use existingSecretName below to use a pre-existing secret - tenantId: '' # TenantID of Azure Service principal to use - clientId: '' # ClientID (Application ID) of Azure Service Principal to use - clientSecret: '' # Client Secret of Azure Service Principal - # Pre-existing secret must contain the keys tenantId, clientId and clientSecret with the appropriate values - existingSecretName: '' # Name of a pre-existing secret containing Azure Service Principal Credentials (ClientID, ClientSecret, TenantID) - -secretsAsEnvVars: [] # configure custom secrets to be used as environment variables at runtime, see values.yaml -#- name: SECRET_GREETING -# secretName: my-secret-greeting -# secretKey: greeting - -secretsAsFiles: [] # configure custom secrets to be mounted at runtime, see values.yaml -# All files within secret will be mounted in "/etc/foo" - same as 1st example in k8s documentation -# all secrets will be mounted as readonly -#- name: foo -# mountPath: "/etc/foo" -# secretName: mysecret - -resources: {} # Operator container resources - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} # Node selector to use for pod configuration - -securityContext: - enabled: false # Enable securityContext - runAsUser: 1000 # UID to run as - runAsGroup: 3000 # GID to run as - fsGroup: 2000 # fs group - -tolerations: [] # Tolerations to be applied to operator pod - -affinity: {} # Node affinity for pod assignment - -rbac: - enabled: true # Create and use RBAC resources - -extraEnv: [] # A list of additional environment variables -#- name: AWS_SDK_LOAD_CONFIG -# value: "1" diff --git a/chart/helm3/sops-secrets-operator/Makefile b/chart/helm3/sops-secrets-operator/Makefile index cc9a90c7..35df707f 100644 --- a/chart/helm3/sops-secrets-operator/Makefile +++ b/chart/helm3/sops-secrets-operator/Makefile @@ -22,14 +22,7 @@ versions: ## shows currently installed tool versions helm version ; echo helm plugin list | grep unittest ; echo @echo '--------------------' - @asdf current kubebuilder - @asdf current golang - @asdf current sops - @asdf current kustomize - @asdf current k3d - @asdf current kubectl - @asdf current helm - @asdf current kubeval + @asdf current 2>/dev/null | grep sops-secrets-operator @echo '--------------------' .PHONY: echo @@ -47,10 +40,17 @@ lint: ## runs helm chart linting @echo '--------------------' .PHONY: validate -validate: ## validates rendered chart templates using 'kubeval' - helm template . --set securityContextenabled=true \ - | kubeval --force-color \ - --strict \ - --schema-location https://raw.githubusercontent.com/Onemind-Services-LLC/kubernetes-json-schema/master/schema \ - --kubernetes-version $(K8S_VERSION) - +validate: ## validates rendered chart templates using 'kubeconform' + helm template . \ + --set securityContextenabled=true \ + --set metrics.enabled=true \ + --set gcp.enabled=true \ + --set azure.enabled=true \ + | kubeconform -summary \ + -verbose \ + -strict \ + -output pretty \ + -schema-location https://raw.githubusercontent.com/Onemind-Services-LLC/kubernetes-json-schema/master/schema \ + -schema-location https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/monitoring.coreos.com/servicemonitor_v1.json \ + -kubernetes-version $(K8S_VERSION) - @echo '--------------------' diff --git a/go.mod b/go.mod index 7b6ff3a6..4bd6ca80 100644 --- a/go.mod +++ b/go.mod @@ -6,17 +6,22 @@ go 1.21 require ( // https://github.com/mozilla/sops/releases github.com/getsops/sops/v3 v3.8.1 + // https://github.com/go-logr/logr/releases github.com/go-logr/logr v1.4.1 // https://github.com/onsi/ginkgo/releases github.com/onsi/ginkgo/v2 v2.15.0 + // https://github.com/onsi/gomega/releases github.com/onsi/gomega v1.31.1 + // https://github.com/prometheus/client_golang/releases github.com/prometheus/client_golang v1.18.0 + // https://github.com/sirupsen/logrus/releases github.com/sirupsen/logrus v1.9.3 - k8s.io/api v0.29.1 // https://github.com/kubernetes/apimachinery/tags + k8s.io/api v0.29.1 k8s.io/apimachinery v0.29.1 k8s.io/client-go v0.29.1 - sigs.k8s.io/controller-runtime v0.17.0 + // https://github.com/kubernetes-sigs/controller-runtime/releases + sigs.k8s.io/controller-runtime v0.17.1 ) require ( diff --git a/go.sum b/go.sum index baa6d23d..ed0d2f16 100644 --- a/go.sum +++ b/go.sum @@ -496,8 +496,8 @@ k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/A k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.17.0 h1:fjJQf8Ukya+VjogLO6/bNX9HE6Y2xpsO5+fyS26ur/s= -sigs.k8s.io/controller-runtime v0.17.0/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= +sigs.k8s.io/controller-runtime v0.17.1 h1:V1dQELMGVk46YVXXQUbTFujU7u4DQj6YUj9Rb6cuzz8= +sigs.k8s.io/controller-runtime v0.17.1/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=