feat: k8s version updates; pod/container securityContext configuation…

… changes

.github/workflows/ci.yaml

@@ -14,13 +14,13 @@ jobs:
     runs-on: ubuntu-20.04
     env:
       # https://hub.docker.com/r/rancher/k3s/tags
-      K3S_VERSION: v1.28.5-k3s1
+      K3S_VERSION: v1.29.0-k3s1
       # https://github.com/helm-unittest/helm-unittest/releases
       HELM_UNITTEST_VERSION: 0.4.1
 
     steps:
 
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         name: Check out code
 
       - name: Install asdf tools

.github/workflows/release.yaml

@@ -17,7 +17,7 @@ jobs:
 
     steps:
 
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         name: Check out code
 
       - name: Install asdf tools

.github/workflows/reviewdog.yaml

@@ -0,0 +1,23 @@
+name: reviewdog
+on: [pull_request]
+
+jobs:
+  golangci-lint:
+    name: runner / golangci-lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4
+
+      - name: golangci-lint
+        uses: reviewdog/action-golangci-lint@v2
+        with:
+          golangci_lint_flags: "--timeout=4m"
+
+      - name: action-lint
+        uses: reviewdog/action-actionlint@v1
+
+      - name: docker hadolint
+        uses: reviewdog/action-hadolint@v1
+        with:
+          hadolint_flags: --trusted-registry docker.io

.pre-commit-config.yaml

@@ -2,7 +2,7 @@
 repos:
 - repo: https://github.com/norwoodj/helm-docs
   # https://github.com/norwoodj/helm-docs/releases
-  rev: v1.11.3
+  rev: v1.12.0
   hooks:
   - id: helm-docs
     args:

.tool-versions

@@ -11,11 +11,11 @@ kustomize 5.3.0
 # https://github.com/rancher/k3d/releases
 k3d 5.6.0
 # https://github.com/kubernetes/kubernetes/releases
-kubectl 1.29.0
+kubectl 1.29.1
 # https://github.com/helm/helm/releases
-helm 3.13.3
+helm 3.14.0
 # https://github.com/norwoodj/helm-docs/releases
-helm-docs 1.11.3
+helm-docs 1.12.0
 # https://github.com/instrumenta/kubeval/releases
 kubeval v0.16.1
 # https://github.com/git-chglog/git-chglog/releases

Makefile

@@ -1,19 +1,19 @@
 # UPDATE_HERE
 GO := GOPROXY=https://proxy.golang.org go
-SOPS_SEC_OPERATOR_VERSION := 0.12.0
+SOPS_SEC_OPERATOR_VERSION := 0.12.1
 
 # https://github.com/kubernetes-sigs/controller-tools/releases
 CONTROLLER_GEN_VERSION := "v0.14.0"
 # https://github.com/kubernetes-sigs/controller-runtime/releases
-CONTROLLER_RUNTIME_VERSION := "v0.16.3"
+CONTROLLER_RUNTIME_VERSION := "v0.17.0"
 # https://github.com/kubernetes-sigs/kustomize/releases
 KUSTOMIZE_VERSION := "v5.3.0"
 # use `setup-envtest list` to obtain the list of available versions
 # until fixed, can't use newer version, see:
 #   https://github.com/kubernetes-sigs/controller-runtime/issues/1571
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 # https://storage.googleapis.com/kubebuilder-tools
-ENVTEST_K8S_VERSION := "1.28.3"
+ENVTEST_K8S_VERSION := "1.29.0"
 
 # Use existing cluster instead of starting processes
 USE_EXISTING_CLUSTER ?= true

README.md

@@ -23,7 +23,7 @@ encrypted files stored in `git` repository.
 
 | Kubernetes | Sops | Chart | Operator |
 |---|---|---|---|
-| v1.29.x | v3.8.1 | 0.18.0 | 0.12.0 |
+| v1.29.x | v3.8.1 | 0.18.1 | 0.12.1 |
 | v1.28.x | v3.8.1 | 0.17.4 | 0.11.4 |
 | v1.27.x | v3.7.3 | 0.15.5 | 0.9.5 |
 | v1.26.x | v3.7.3 | 0.14.2 | 0.8.2 |

chart/helm3/sops-secrets-operator/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 # UPDATE_HERE
-version: 0.18.0
-appVersion: 0.12.0
+version: 0.18.1
+appVersion: 0.12.1
 type: application
 description: Helm chart deploys sops-secrets-operator
 name: sops-secrets-operator

chart/helm3/sops-secrets-operator/Makefile

@@ -4,7 +4,7 @@ CHART_NAME?=$(shell cat Chart.yaml | awk 'BEGIN { FS=": " } $$0~/^name:/ { gsub(
 VERSION_TAG?=$(shell cat Chart.yaml | awk 'BEGIN { FS=": " } $$0~/^version/ { gsub(/['\'',]/, ""); print $$2; }')
 
 # UPDATE_HERE
-K8S_VERSION := "1.29.0"
+K8S_VERSION := "1.29.1"
 
 SHELL=/bin/bash
 

chart/helm3/sops-secrets-operator/README.md

@@ -134,7 +134,7 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | healthProbes.readiness | object | `{"initialDelaySeconds":5,"periodSeconds":10}` | Readiness probe configuration |
 | image.pullPolicy | string | `"Always"` | Operator image pull policy |
 | image.repository | string | `"isindir/sops-secrets-operator"` | Operator image name |
-| image.tag | string | `"0.12.0"` | Operator image tag |
+| image.tag | string | `"0.12.1"` | Operator image tag |
 | imagePullSecrets | list | `[]` | Secrets to pull image from private docker repository |
 | initImage.pullPolicy | string | `"Always"` | Init container image pull policy |
 | initImage.repository | string | `"ubuntu"` | Init container image name |
@@ -156,10 +156,16 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | resources | object | `{}` | Operator container resources |
 | secretsAsEnvVars | list | `[]` | configure custom secrets to be used as environment variables at runtime, see values.yaml |
 | secretsAsFiles | list | `[]` | configure custom secrets to be mounted at runtime, see values.yaml |
+| securityContext.container | object | `{"capabilities":{"add":["NET_BIND_SERVICE"],"drop":["all"],"enabled":false}}` | container/initContainer |
+| securityContext.container.capabilities | object | `{"add":["NET_BIND_SERVICE"],"drop":["all"],"enabled":false}` | capabilities |
+| securityContext.container.capabilities.enabled | bool | `false` | enables securityContext capabilities feature in containers |
 | securityContext.enabled | bool | `false` | Enable securityContext |
 | securityContext.fsGroup | int | `13001` | fs group |
 | securityContext.runAsGroup | int | `13001` | GID to run as |
+| securityContext.runAsNonRoot | bool | `true` | Enable kubelet validation for using root user to run container |
 | securityContext.runAsUser | int | `13001` | UID to run as |
+| securityContext.seccompProfileName | string | `""` | if seccompProfile.type is set to Localhost, set localhostProfile to value of seccompProfileName (user must specify value) |
+| securityContext.seccompProfileType | string | `"RuntimeDefault"` | seccompProfile.type |
 | serviceAccount.annotations | object | `{}` | Annotations to be added to the service account |
 | tolerations | list | `[]` | Tolerations to be applied to operator pod |
 

chart/helm3/sops-secrets-operator/templates/operator.yaml

@@ -34,6 +34,12 @@ spec:
           image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
           imagePullPolicy: {{ .Values.initImage.pullPolicy }}
           command: ['/bin/sh', '-c', 'cp -Lr /var/secrets/gpg-secrets/* /var/secrets/gpg/']
+          {{- if and .Values.securityContext.enabled .Values.securityContext.container.capabilities.enabled }}
+          securityContext:
+            capabilities:
+              drop: {{ .Values.securityContext.container.capabilities.drop }}
+              add: {{ .Values.securityContext.container.capabilities.add }}
+          {{- end }}
           volumeMounts:
           - mountPath: /var/secrets/gpg
             name: sops-gpg
@@ -46,6 +52,12 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if and .Values.securityContext.enabled .Values.securityContext.container.capabilities.enabled }}
+          securityContext:
+            capabilities:
+              drop: {{ .Values.securityContext.container.capabilities.drop }}
+              add: {{ .Values.securityContext.container.capabilities.add }}
+          {{- end }}
           {{- if or .Values.gcp.enabled .Values.gpg.enabled .Values.secretsAsFiles }}
           volumeMounts:
           {{- end }}
@@ -180,6 +192,12 @@ spec:
         runAsUser: {{ .Values.securityContext.runAsUser }}
         runAsGroup: {{ .Values.securityContext.runAsGroup }}
         fsGroup: {{ .Values.securityContext.fsGroup }}
+        runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
+        seccompProfile:
+          type: {{ .Values.securityContext.seccompProfileType }}
+          {{- if  eq .Values.securityContext.seccompProfileType "Localhost" }}
+          localhostProfile: {{ .Values.securityContext.seccompProfileName }}
+          {{- end }}
       {{- end }}
       {{- with .Values.affinity }}
       affinity:

chart/helm3/sops-secrets-operator/tests/operator_test.yaml

@@ -31,8 +31,8 @@ tests:
             app.kubernetes.io/instance: sops
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: sops-secrets-operator
-            app.kubernetes.io/version: 0.12.0
-            helm.sh/chart: sops-secrets-operator-0.18.0
+            app.kubernetes.io/version: 0.12.1
+            helm.sh/chart: sops-secrets-operator-0.18.1
 
   # custom name
   - it: should correctly render custome name
@@ -170,7 +170,7 @@ tests:
       # UPDATE_HERE
       - equal:
           path: spec.template.spec.containers[0].image
-          value: isindir/sops-secrets-operator:0.12.0
+          value: isindir/sops-secrets-operator:0.12.1
       - equal:
           path: spec.template.spec.containers[0].imagePullPolicy
           value: Always

chart/helm3/sops-secrets-operator/values.yaml

@@ -13,7 +13,7 @@ image:
   # -- Operator image name
   repository: isindir/sops-secrets-operator
   # -- Operator image tag
-  tag: 0.12.0
+  tag: 0.12.1
   # -- Operator image pull policy
   pullPolicy: Always
 
@@ -154,8 +154,24 @@ securityContext:
   runAsUser: 13001
   # -- GID to run as
   runAsGroup: 13001
+  # -- Enable kubelet validation for using root user to run container
+  runAsNonRoot: true
   # -- fs group
   fsGroup: 13001
+  # -- seccompProfile.type
+  seccompProfileType: RuntimeDefault
+  # -- if seccompProfile.type is set to Localhost, set localhostProfile to value of seccompProfileName (user must specify value)
+  seccompProfileName: ""
+  # -- container/initContainer
+  container:
+    # -- capabilities
+    capabilities:
+      # -- enables securityContext capabilities feature in containers
+      enabled: false
+      drop:
+        - all
+      add:
+        - NET_BIND_SERVICE
 
 # -- Tolerations to be applied to operator pod
 tolerations: []