feat: add helm unit tests and abitlity to mount arbitrary secrets as …

…env variables or files (#30)

* feat: add helm unit tests and abitlity to mount arbitrary secrets as env variables or files

* bump charts versions

.circleci/config.yml

@@ -86,7 +86,7 @@ jobs:
       # https://github.com/rancher/k3d/releases
       K3D_VERSION: v3.0.1
       # https://github.com/helm/helm/releases
-      HELM_VERSION: v3.3.3
+      HELM_VERSION: v3.3.4
       # https://golang.org/dl/
       GOLANG_VERSION: 1.14.9
       # https://github.com/kubernetes-sigs/kubebuilder/releases
@@ -95,6 +95,10 @@ jobs:
       SOPS_VERSION: v3.6.1
       # https://github.com/kubernetes-sigs/kustomize/releases
       KUSTOMIZE_VERSION: v3.8.3
+      # https://github.com/quintush/helm-unittest/releases
+      HELM_UNITTEST_VERSION: 0.2.4
+      # https://github.com/instrumenta/kubeval/releases
+      KUBEVAL_VERSION: 0.15.0
 
       KUBECONFIG: /home/circleci/.kube/config
 
@@ -161,6 +165,18 @@ jobs:
             sudo mv linux-amd64/helm /usr/local/bin/
             rm -fr linux-amd64
             helm version
+            # install helm-unittest plugin
+            helm plugin install https://github.com/quintush/helm-unittest --version ${HELM_UNITTEST_VERSION}
+            helm unittest --help
+          background: true
+      - run:
+          name: install kubeval
+          command: |
+            # install kubeval
+            curl -sSL https://github.com/instrumenta/kubeval/releases/download/${KUBEVAL_VERSION}/kubeval-linux-amd64.tar.gz | tar -xzvf - kubeval
+            chmod +x kubeval
+            sudo mv kubeval /usr/local/bin/
+            kubeval --version
           background: true
       - run:
           name: install kubectl
@@ -191,13 +207,18 @@ jobs:
             kubectl describe node k3d-operator-server-0
             kubectl describe node k3d-operator-agent-0
       - run:
-          name: Run Tests
+          name: Docker build
           command: |
             make docker-build
       - save_cache:
           key: v2-modules-{{ .Branch }}-{{ checksum "go.sum" }}
           paths:
             - "/home/circleci/gogo/pkg"
+      # run helm tests
+      - run:
+          name: Test helm charts
+          command: |
+            make test-helm
       # tests start here
       - run:
           name: Run Local Tests

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,2 +1 @@
 #### What this PR does / why we need it:
-

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v1.4.0
+  rev: v3.2.0
   hooks:
   - id: check-symlinks
   - id: check-merge-conflict

Makefile

@@ -31,6 +31,13 @@ package-helm:
 			helm repo index . --url https://isindir.github.io/sops-secrets-operator ) ; \
 	}
 
+## test-helm: test helm charts
+test-helm:
+	@{ \
+		$(MAKE) -C chart/helm2/sops-secrets-operator all ; \
+		$(MAKE) -C chart/helm3/sops-secrets-operator all ; \
+	}
+
 ## test: Run tests
 test: generate fmt vet manifests
 	USE_EXISTING_CLUSTER=${USE_EXISTING_CLUSTER} go test ./... -coverprofile cover.out
@@ -131,6 +138,12 @@ else
 CONTROLLER_GEN=$(shell which controller-gen)
 endif
 
+## pre-commit: update pre-commit
+pre-commit:
+	pre-commit install
+	pre-commit autoupdate
+	pre-commit run -a
+
 .PHONY: help
 ## help: prints this help message
 help:

chart/helm2/sops-secrets-operator/.helmignore

@@ -20,8 +20,10 @@
 .idea/
 *.tmproj
 .vscode/
+# Custom
 qqq.*
 abc.*
 *.qqq
 *.abc
 *.vim
+Makefile

chart/helm2/sops-secrets-operator/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
-version: 0.3.6
+version: 0.3.7
 appVersion: 0.1.5
 description: sops secrets operator
 name: sops-secrets-operator

chart/helm2/sops-secrets-operator/Makefile

@@ -0,0 +1,45 @@
+.PHONY: all dep list test
+
+CHART_NAME?=$(shell cat Chart.yaml | awk 'BEGIN { FS=": " } $$0~/^name:/ { gsub(/['\'',]/, ""); print $$2; }')
+VERSION_TAG?=$(shell cat Chart.yaml | awk 'BEGIN { FS=": " } $$0~/^version/ { gsub(/['\'',]/, ""); print $$2; }')
+
+SHELL=/bin/bash
+
+## all: run all test targets
+all: echo lint test validate
+
+## versions: show currently installed tool versions
+versions:
+	helm version ; echo
+	helm plugin list | grep unittest ; echo
+	kubeval --version
+	@echo '--------------------'
+
+## echo: print chart information
+echo:
+	@echo '-=-=-=-=-=-=-=-=-=-=- "${CHART_NAME}" version: "${VERSION_TAG}" -=-=-=-=-=-=-=-=-=-=-'
+
+## test: run unittests
+test:
+	helm unittest --color .
+	@echo '--------------------'
+
+## lint: lint helm chart
+lint:
+	helm lint .
+	@echo '--------------------'
+
+## validate: validate rendered chart templates using 'kubeval'
+validate:
+	helm template . | kubeval --ignore-missing-schemas --force-color -
+	@echo '--------------------'
+
+## docs: generate chart documentation to stdout, if firgate is installed
+docs:
+	frigate gen .
+
+.PHONY: help
+## help: prints this help message
+help:
+	@echo "Usage:"
+	@sed -n 's/^##//p' ${MAKEFILE_LIST} | column -t -s ':' |  sed -e 's/^/ /'

chart/helm2/sops-secrets-operator/README.md

@@ -83,12 +83,13 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | ------------------------ | ----------------------- | -------------- |
 | `replicaCount` | Deployment replica count  - should not be modified | `1` |
 | `image.repository` | Operator image | `"isindir/sops-secrets-operator"` |
-| `image.tag` | Operator image tag | `"0.1.0"` |
+| `image.tag` | Operator image tag | `"0.1.5"` |
 | `image.pullPolicy` | Operator image pull policy | `"Always"` |
 | `imagePullSecrets` | Secrets to pull image from private docker repository | `[]` |
 | `nameOverride` | Overrides auto-generated short resource name | `""` |
 | `fullnameOverride` | Overrides auto-generated long resource name | `""` |
 | `podAnnotations` | Annotations to be added to operator pod | `{}` |
+| `serviceAccount.annotations` | Annotations to be added to the service account | `{}` |
 | `gpg.enabled` | If `true` gcp secret will be created from provided value and mounted as environment variable | `false` |
 | `gpg.secret1` | Name of the secret to create - will override default secret name if specified | `"gpg1"` |
 | `gpg.secret2` | Name of the secret to create - will override default secret name if specified | `"gpg2"` |
@@ -100,6 +101,8 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | `azure.clientId`| Client (Application) ID of the Azure Service principal to use for Key access | `''` |
 | `azure.clientSecret`| Client Secret of the Azure Service principal to use for Key access | `''` |
 | `azure.existingSecretName`| If set the named secret will be used to find the Azure SP credentials. | `''` |
+| `secretsAsEnvVars` | Configure custom secrets to be used as environment variables at runtime, see values.yaml | `[]` |
+| `secretsAsFiles` | Configure custom secrets to be mounted at runtime, see values.yaml | `[]` |
 | `resources` | Operator container resources | `{}` |
 | `nodeSelector` | Node selector to use for pod configuration | `{}` |
 | `securityContext.enabled` | Enable securitycontext | `false` |

chart/helm2/sops-secrets-operator/templates/operator.yaml

@@ -43,7 +43,7 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          {{- if or .Values.gcp.enabled .Values.gpg.enabled }}
+          {{- if or .Values.gcp.enabled .Values.gpg.enabled .Values.secretsAsFiles }}
           volumeMounts:
           {{- end }}
           {{- if .Values.gcp.enabled }}
@@ -58,6 +58,11 @@ spec:
           - mountPath: /var/secrets/gpg-secrets/private-keys-v1.d
             name: sops-operator-gpg-keys2
           {{- end }}
+          {{- range .Values.secretsAsFiles }}
+          - name: {{ .name }}
+            mountPath: {{ .mountPath }}
+            readOnly: true
+          {{- end }}
           command:
           - /usr/local/bin/manager
           args:
@@ -97,9 +102,16 @@ spec:
                   name: {{ $secretname }}
                   key: clientSecret
             {{- end }}
+            {{- range .Values.secretsAsEnvVars }}
+            - name: {{ .name }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .secretName }}
+                  key: {{ .secretKey }}
+            {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-      {{- if or .Values.gcp.enabled .Values.gpg.enabled }}
+      {{- if or .Values.gcp.enabled .Values.gpg.enabled .Values.secretsAsFiles }}
       volumes:
       {{- end }}
       {{- if .Values.gcp.enabled }}
@@ -121,6 +133,11 @@ spec:
       - name: sops-gpg
         emptyDir: {}
       {{- end }}
+      {{- range .Values.secretsAsFiles }}
+      - name: {{ .name }}
+        secret:
+          secretName: {{ .secretName }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

chart/helm2/sops-secrets-operator/values.yaml

@@ -41,6 +41,18 @@ azure:
   # Pre-existing secret must contain the keys tenantId, clientId and clientSecret with the appropriate values
   existingSecretName: '' # Name of a pre-existing secret containing Azure Service Principal Credentials (ClientID, ClientSecret, TenantID)
 
+secretsAsEnvVars: []  # configure custom secrets to be used as environment variables at runtime, see values.yaml
+#- name: SECRET_GREETING
+#  secretName: my-secret-greeting
+#  secretKey: greeting
+
+secretsAsFiles: []  # configure custom secrets to be mounted at runtime, see values.yaml
+# All files within secret will be mounted in "/etc/foo" - same as 1st example in k8s documentation
+# all secrets will be mounted as readonly
+#- name: foo
+#  mountPath: "/etc/foo"
+#  secretName: mysecret
+
 resources: {}  # Operator container resources
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little

chart/helm3/sops-secrets-operator/.helmignore

@@ -20,8 +20,10 @@
 .idea/
 *.tmproj
 .vscode/
+# Custom
 qqq.*
 abc.*
 *.qqq
 *.abc
 *.vim
+Makefile

chart/helm3/sops-secrets-operator/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-version: 0.4.7
+version: 0.4.8
 appVersion: 0.1.5
 type: application
 description: sops secrets operator

chart/helm3/sops-secrets-operator/Makefile

@@ -0,0 +1,45 @@
+.PHONY: all dep list test
+
+CHART_NAME?=$(shell cat Chart.yaml | awk 'BEGIN { FS=": " } $$0~/^name:/ { gsub(/['\'',]/, ""); print $$2; }')
+VERSION_TAG?=$(shell cat Chart.yaml | awk 'BEGIN { FS=": " } $$0~/^version/ { gsub(/['\'',]/, ""); print $$2; }')
+
+SHELL=/bin/bash
+
+## all: run all test targets
+all: echo lint test validate
+
+## versions: show currently installed tool versions
+versions:
+	helm version ; echo
+	helm plugin list | grep unittest ; echo
+	kubeval --version
+	@echo '--------------------'
+
+## echo: print chart information
+echo:
+	@echo '-=-=-=-=-=-=-=-=-=-=- "${CHART_NAME}" version: "${VERSION_TAG}" -=-=-=-=-=-=-=-=-=-=-'
+
+## test: run unittests
+test:
+	helm unittest --helm3 --color .
+	@echo '--------------------'
+
+## lint: lint helm chart
+lint:
+	helm lint .
+	@echo '--------------------'
+
+## validate: validate rendered chart templates using 'kubeval'
+validate:
+	helm template . | kubeval --ignore-missing-schemas --force-color -
+	@echo '--------------------'
+
+## docs: generate chart documentation to stdout, if firgate is installed
+docs:
+	frigate gen .
+
+.PHONY: help
+## help: prints this help message
+help:
+	@echo "Usage:"
+	@sed -n 's/^##//p' ${MAKEFILE_LIST} | column -t -s ':' |  sed -e 's/^/ /'

chart/helm3/sops-secrets-operator/README.md

@@ -83,12 +83,13 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | ------------------------ | ----------------------- | -------------- |
 | `replicaCount` | Deployment replica count  - should not be modified | `1` |
 | `image.repository` | Operator image | `"isindir/sops-secrets-operator"` |
-| `image.tag` | Operator image tag | `"0.1.0"` |
+| `image.tag` | Operator image tag | `"0.1.5"` |
 | `image.pullPolicy` | Operator image pull policy | `"Always"` |
 | `imagePullSecrets` | Secrets to pull image from private docker repository | `[]` |
 | `nameOverride` | Overrides auto-generated short resource name | `""` |
 | `fullnameOverride` | Overrides auto-generated long resource name | `""` |
 | `podAnnotations` | Annotations to be added to operator pod | `{}` |
+| `serviceAccount.annotations` | Annotations to be added to the service account | `{}` |
 | `gpg.enabled` | If `true` gcp secret will be created from provided value and mounted as environment variable | `false` |
 | `gpg.secret1` | Name of the secret to create - will override default secret name if specified | `"gpg1"` |
 | `gpg.secret2` | Name of the secret to create - will override default secret name if specified | `"gpg2"` |
@@ -100,6 +101,8 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | `azure.clientId`| Client (Application) ID of the Azure Service principal to use for Key access | `''` |
 | `azure.clientSecret`| Client Secret of the Azure Service principal to use for Key access | `''` |
 | `azure.existingSecretName`| If set the named secret will be used to find the Azure SP credentials. | `''` |
+| `secretsAsEnvVars` | Configure custom secrets to be used as environment variables at runtime, see values.yaml | `[]` |
+| `secretsAsFiles` | Configure custom secrets to be mounted at runtime, see values.yaml | `[]` |
 | `resources` | Operator container resources | `{}` |
 | `nodeSelector` | Node selector to use for pod configuration | `{}` |
 | `securityContext.enabled` | Enable securitycontext | `false` |

chart/helm3/sops-secrets-operator/templates/operator.yaml

@@ -43,7 +43,7 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          {{- if or .Values.gcp.enabled .Values.gpg.enabled }}
+          {{- if or .Values.gcp.enabled .Values.gpg.enabled .Values.secretsAsFiles }}
           volumeMounts:
           {{- end }}
           {{- if .Values.gcp.enabled }}
@@ -58,6 +58,11 @@ spec:
           - mountPath: /var/secrets/gpg-secrets/private-keys-v1.d
             name: sops-operator-gpg-keys2
           {{- end }}
+          {{- range .Values.secretsAsFiles }}
+          - name: {{ .name }}
+            mountPath: {{ .mountPath }}
+            readOnly: true
+          {{- end }}
           command:
           - /usr/local/bin/manager
           args:
@@ -97,9 +102,16 @@ spec:
                   name: {{ $secretname }}
                   key: clientSecret
             {{- end }}
+            {{- range .Values.secretsAsEnvVars }}
+            - name: {{ .name }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .secretName }}
+                  key: {{ .secretKey }}
+            {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-      {{- if or .Values.gcp.enabled .Values.gpg.enabled }}
+      {{- if or .Values.gcp.enabled .Values.gpg.enabled .Values.secretsAsFiles }}
       volumes:
       {{- end }}
       {{- if .Values.gcp.enabled }}
@@ -121,6 +133,11 @@ spec:
       - name: sops-gpg
         emptyDir: {}
       {{- end }}
+      {{- range .Values.secretsAsFiles }}
+      - name: {{ .name }}
+        secret:
+          secretName: {{ .secretName }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}