diff --git a/.circleci/config.yml b/.circleci/config.yml index ccd7a7ab..c5766c8b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -86,7 +86,7 @@ jobs: # https://github.com/rancher/k3d/releases K3D_VERSION: v3.0.1 # https://github.com/helm/helm/releases - HELM_VERSION: v3.3.3 + HELM_VERSION: v3.3.4 # https://golang.org/dl/ GOLANG_VERSION: 1.14.9 # https://github.com/kubernetes-sigs/kubebuilder/releases @@ -95,6 +95,10 @@ jobs: SOPS_VERSION: v3.6.1 # https://github.com/kubernetes-sigs/kustomize/releases KUSTOMIZE_VERSION: v3.8.3 + # https://github.com/quintush/helm-unittest/releases + HELM_UNITTEST_VERSION: 0.2.4 + # https://github.com/instrumenta/kubeval/releases + KUBEVAL_VERSION: 0.15.0 KUBECONFIG: /home/circleci/.kube/config @@ -161,6 +165,18 @@ jobs: sudo mv linux-amd64/helm /usr/local/bin/ rm -fr linux-amd64 helm version + # install helm-unittest plugin + helm plugin install https://github.com/quintush/helm-unittest --version ${HELM_UNITTEST_VERSION} + helm unittest --help + background: true + - run: + name: install kubeval + command: | + # install kubeval + curl -sSL https://github.com/instrumenta/kubeval/releases/download/${KUBEVAL_VERSION}/kubeval-linux-amd64.tar.gz | tar -xzvf - kubeval + chmod +x kubeval + sudo mv kubeval /usr/local/bin/ + kubeval --version background: true - run: name: install kubectl @@ -191,13 +207,18 @@ jobs: kubectl describe node k3d-operator-server-0 kubectl describe node k3d-operator-agent-0 - run: - name: Run Tests + name: Docker build command: | make docker-build - save_cache: key: v2-modules-{{ .Branch }}-{{ checksum "go.sum" }} paths: - "/home/circleci/gogo/pkg" + # run helm tests + - run: + name: Test helm charts + command: | + make test-helm # tests start here - run: name: Run Local Tests diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index c6cc721f..34642502 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,2 +1 @@ #### What this PR does / why we need it: - diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index fef88b05..d32a1a06 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v1.4.0 + rev: v3.2.0 hooks: - id: check-symlinks - id: check-merge-conflict diff --git a/Makefile b/Makefile index 25e22254..ecb01ebf 100644 --- a/Makefile +++ b/Makefile @@ -31,6 +31,13 @@ package-helm: helm repo index . --url https://isindir.github.io/sops-secrets-operator ) ; \ } +## test-helm: test helm charts +test-helm: + @{ \ + $(MAKE) -C chart/helm2/sops-secrets-operator all ; \ + $(MAKE) -C chart/helm3/sops-secrets-operator all ; \ + } + ## test: Run tests test: generate fmt vet manifests USE_EXISTING_CLUSTER=${USE_EXISTING_CLUSTER} go test ./... -coverprofile cover.out @@ -131,6 +138,12 @@ else CONTROLLER_GEN=$(shell which controller-gen) endif +## pre-commit: update pre-commit +pre-commit: + pre-commit install + pre-commit autoupdate + pre-commit run -a + .PHONY: help ## help: prints this help message help: diff --git a/chart/helm2/sops-secrets-operator/.helmignore b/chart/helm2/sops-secrets-operator/.helmignore index 9c6ec6f6..6378bc99 100644 --- a/chart/helm2/sops-secrets-operator/.helmignore +++ b/chart/helm2/sops-secrets-operator/.helmignore @@ -20,8 +20,10 @@ .idea/ *.tmproj .vscode/ +# Custom qqq.* abc.* *.qqq *.abc *.vim +Makefile diff --git a/chart/helm2/sops-secrets-operator/Chart.yaml b/chart/helm2/sops-secrets-operator/Chart.yaml index 0622dd0b..c3c64f4e 100644 --- a/chart/helm2/sops-secrets-operator/Chart.yaml +++ b/chart/helm2/sops-secrets-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -version: 0.3.6 +version: 0.3.7 appVersion: 0.1.5 description: sops secrets operator name: sops-secrets-operator diff --git a/chart/helm2/sops-secrets-operator/Makefile b/chart/helm2/sops-secrets-operator/Makefile new file mode 100644 index 00000000..6ba3332e --- /dev/null +++ b/chart/helm2/sops-secrets-operator/Makefile @@ -0,0 +1,45 @@ +.PHONY: all dep list test + +CHART_NAME?=$(shell cat Chart.yaml | awk 'BEGIN { FS=": " } $$0~/^name:/ { gsub(/['\'',]/, ""); print $$2; }') +VERSION_TAG?=$(shell cat Chart.yaml | awk 'BEGIN { FS=": " } $$0~/^version/ { gsub(/['\'',]/, ""); print $$2; }') + +SHELL=/bin/bash + +## all: run all test targets +all: echo lint test validate + +## versions: show currently installed tool versions +versions: + helm version ; echo + helm plugin list | grep unittest ; echo + kubeval --version + @echo '--------------------' + +## echo: print chart information +echo: + @echo '-=-=-=-=-=-=-=-=-=-=- "${CHART_NAME}" version: "${VERSION_TAG}" -=-=-=-=-=-=-=-=-=-=-' + +## test: run unittests +test: + helm unittest --color . + @echo '--------------------' + +## lint: lint helm chart +lint: + helm lint . + @echo '--------------------' + +## validate: validate rendered chart templates using 'kubeval' +validate: + helm template . | kubeval --ignore-missing-schemas --force-color - + @echo '--------------------' + +## docs: generate chart documentation to stdout, if firgate is installed +docs: + frigate gen . + +.PHONY: help +## help: prints this help message +help: + @echo "Usage:" + @sed -n 's/^##//p' ${MAKEFILE_LIST} | column -t -s ':' | sed -e 's/^/ /' diff --git a/chart/helm2/sops-secrets-operator/README.md b/chart/helm2/sops-secrets-operator/README.md index 729d2374..74a66b8e 100644 --- a/chart/helm2/sops-secrets-operator/README.md +++ b/chart/helm2/sops-secrets-operator/README.md @@ -83,12 +83,13 @@ The following table lists the configurable parameters of the Sops-secrets-operat | ------------------------ | ----------------------- | -------------- | | `replicaCount` | Deployment replica count - should not be modified | `1` | | `image.repository` | Operator image | `"isindir/sops-secrets-operator"` | -| `image.tag` | Operator image tag | `"0.1.0"` | +| `image.tag` | Operator image tag | `"0.1.5"` | | `image.pullPolicy` | Operator image pull policy | `"Always"` | | `imagePullSecrets` | Secrets to pull image from private docker repository | `[]` | | `nameOverride` | Overrides auto-generated short resource name | `""` | | `fullnameOverride` | Overrides auto-generated long resource name | `""` | | `podAnnotations` | Annotations to be added to operator pod | `{}` | +| `serviceAccount.annotations` | Annotations to be added to the service account | `{}` | | `gpg.enabled` | If `true` gcp secret will be created from provided value and mounted as environment variable | `false` | | `gpg.secret1` | Name of the secret to create - will override default secret name if specified | `"gpg1"` | | `gpg.secret2` | Name of the secret to create - will override default secret name if specified | `"gpg2"` | @@ -100,6 +101,8 @@ The following table lists the configurable parameters of the Sops-secrets-operat | `azure.clientId`| Client (Application) ID of the Azure Service principal to use for Key access | `''` | | `azure.clientSecret`| Client Secret of the Azure Service principal to use for Key access | `''` | | `azure.existingSecretName`| If set the named secret will be used to find the Azure SP credentials. | `''` | +| `secretsAsEnvVars` | Configure custom secrets to be used as environment variables at runtime, see values.yaml | `[]` | +| `secretsAsFiles` | Configure custom secrets to be mounted at runtime, see values.yaml | `[]` | | `resources` | Operator container resources | `{}` | | `nodeSelector` | Node selector to use for pod configuration | `{}` | | `securityContext.enabled` | Enable securitycontext | `false` | diff --git a/chart/helm2/sops-secrets-operator/templates/operator.yaml b/chart/helm2/sops-secrets-operator/templates/operator.yaml index 62deb79f..ee347d70 100644 --- a/chart/helm2/sops-secrets-operator/templates/operator.yaml +++ b/chart/helm2/sops-secrets-operator/templates/operator.yaml @@ -43,7 +43,7 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if or .Values.gcp.enabled .Values.gpg.enabled }} + {{- if or .Values.gcp.enabled .Values.gpg.enabled .Values.secretsAsFiles }} volumeMounts: {{- end }} {{- if .Values.gcp.enabled }} @@ -58,6 +58,11 @@ spec: - mountPath: /var/secrets/gpg-secrets/private-keys-v1.d name: sops-operator-gpg-keys2 {{- end }} + {{- range .Values.secretsAsFiles }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: true + {{- end }} command: - /usr/local/bin/manager args: @@ -97,9 +102,16 @@ spec: name: {{ $secretname }} key: clientSecret {{- end }} + {{- range .Values.secretsAsEnvVars }} + - name: {{ .name }} + valueFrom: + secretKeyRef: + name: {{ .secretName }} + key: {{ .secretKey }} + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if or .Values.gcp.enabled .Values.gpg.enabled }} + {{- if or .Values.gcp.enabled .Values.gpg.enabled .Values.secretsAsFiles }} volumes: {{- end }} {{- if .Values.gcp.enabled }} @@ -121,6 +133,11 @@ spec: - name: sops-gpg emptyDir: {} {{- end }} + {{- range .Values.secretsAsFiles }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/chart/helm2/sops-secrets-operator/values.yaml b/chart/helm2/sops-secrets-operator/values.yaml index a382bb42..e0d54143 100644 --- a/chart/helm2/sops-secrets-operator/values.yaml +++ b/chart/helm2/sops-secrets-operator/values.yaml @@ -41,6 +41,18 @@ azure: # Pre-existing secret must contain the keys tenantId, clientId and clientSecret with the appropriate values existingSecretName: '' # Name of a pre-existing secret containing Azure Service Principal Credentials (ClientID, ClientSecret, TenantID) +secretsAsEnvVars: [] # configure custom secrets to be used as environment variables at runtime, see values.yaml +#- name: SECRET_GREETING +# secretName: my-secret-greeting +# secretKey: greeting + +secretsAsFiles: [] # configure custom secrets to be mounted at runtime, see values.yaml +# All files within secret will be mounted in "/etc/foo" - same as 1st example in k8s documentation +# all secrets will be mounted as readonly +#- name: foo +# mountPath: "/etc/foo" +# secretName: mysecret + resources: {} # Operator container resources # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/chart/helm3/sops-secrets-operator/.helmignore b/chart/helm3/sops-secrets-operator/.helmignore index 9c6ec6f6..6378bc99 100644 --- a/chart/helm3/sops-secrets-operator/.helmignore +++ b/chart/helm3/sops-secrets-operator/.helmignore @@ -20,8 +20,10 @@ .idea/ *.tmproj .vscode/ +# Custom qqq.* abc.* *.qqq *.abc *.vim +Makefile diff --git a/chart/helm3/sops-secrets-operator/Chart.yaml b/chart/helm3/sops-secrets-operator/Chart.yaml index 6fe41f7a..1e516129 100644 --- a/chart/helm3/sops-secrets-operator/Chart.yaml +++ b/chart/helm3/sops-secrets-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -version: 0.4.7 +version: 0.4.8 appVersion: 0.1.5 type: application description: sops secrets operator diff --git a/chart/helm3/sops-secrets-operator/Makefile b/chart/helm3/sops-secrets-operator/Makefile new file mode 100644 index 00000000..f915e15c --- /dev/null +++ b/chart/helm3/sops-secrets-operator/Makefile @@ -0,0 +1,45 @@ +.PHONY: all dep list test + +CHART_NAME?=$(shell cat Chart.yaml | awk 'BEGIN { FS=": " } $$0~/^name:/ { gsub(/['\'',]/, ""); print $$2; }') +VERSION_TAG?=$(shell cat Chart.yaml | awk 'BEGIN { FS=": " } $$0~/^version/ { gsub(/['\'',]/, ""); print $$2; }') + +SHELL=/bin/bash + +## all: run all test targets +all: echo lint test validate + +## versions: show currently installed tool versions +versions: + helm version ; echo + helm plugin list | grep unittest ; echo + kubeval --version + @echo '--------------------' + +## echo: print chart information +echo: + @echo '-=-=-=-=-=-=-=-=-=-=- "${CHART_NAME}" version: "${VERSION_TAG}" -=-=-=-=-=-=-=-=-=-=-' + +## test: run unittests +test: + helm unittest --helm3 --color . + @echo '--------------------' + +## lint: lint helm chart +lint: + helm lint . + @echo '--------------------' + +## validate: validate rendered chart templates using 'kubeval' +validate: + helm template . | kubeval --ignore-missing-schemas --force-color - + @echo '--------------------' + +## docs: generate chart documentation to stdout, if firgate is installed +docs: + frigate gen . + +.PHONY: help +## help: prints this help message +help: + @echo "Usage:" + @sed -n 's/^##//p' ${MAKEFILE_LIST} | column -t -s ':' | sed -e 's/^/ /' diff --git a/chart/helm3/sops-secrets-operator/README.md b/chart/helm3/sops-secrets-operator/README.md index a6ddcac8..2d08fadc 100644 --- a/chart/helm3/sops-secrets-operator/README.md +++ b/chart/helm3/sops-secrets-operator/README.md @@ -83,12 +83,13 @@ The following table lists the configurable parameters of the Sops-secrets-operat | ------------------------ | ----------------------- | -------------- | | `replicaCount` | Deployment replica count - should not be modified | `1` | | `image.repository` | Operator image | `"isindir/sops-secrets-operator"` | -| `image.tag` | Operator image tag | `"0.1.0"` | +| `image.tag` | Operator image tag | `"0.1.5"` | | `image.pullPolicy` | Operator image pull policy | `"Always"` | | `imagePullSecrets` | Secrets to pull image from private docker repository | `[]` | | `nameOverride` | Overrides auto-generated short resource name | `""` | | `fullnameOverride` | Overrides auto-generated long resource name | `""` | | `podAnnotations` | Annotations to be added to operator pod | `{}` | +| `serviceAccount.annotations` | Annotations to be added to the service account | `{}` | | `gpg.enabled` | If `true` gcp secret will be created from provided value and mounted as environment variable | `false` | | `gpg.secret1` | Name of the secret to create - will override default secret name if specified | `"gpg1"` | | `gpg.secret2` | Name of the secret to create - will override default secret name if specified | `"gpg2"` | @@ -100,6 +101,8 @@ The following table lists the configurable parameters of the Sops-secrets-operat | `azure.clientId`| Client (Application) ID of the Azure Service principal to use for Key access | `''` | | `azure.clientSecret`| Client Secret of the Azure Service principal to use for Key access | `''` | | `azure.existingSecretName`| If set the named secret will be used to find the Azure SP credentials. | `''` | +| `secretsAsEnvVars` | Configure custom secrets to be used as environment variables at runtime, see values.yaml | `[]` | +| `secretsAsFiles` | Configure custom secrets to be mounted at runtime, see values.yaml | `[]` | | `resources` | Operator container resources | `{}` | | `nodeSelector` | Node selector to use for pod configuration | `{}` | | `securityContext.enabled` | Enable securitycontext | `false` | diff --git a/chart/helm3/sops-secrets-operator/templates/operator.yaml b/chart/helm3/sops-secrets-operator/templates/operator.yaml index 62deb79f..ee347d70 100644 --- a/chart/helm3/sops-secrets-operator/templates/operator.yaml +++ b/chart/helm3/sops-secrets-operator/templates/operator.yaml @@ -43,7 +43,7 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if or .Values.gcp.enabled .Values.gpg.enabled }} + {{- if or .Values.gcp.enabled .Values.gpg.enabled .Values.secretsAsFiles }} volumeMounts: {{- end }} {{- if .Values.gcp.enabled }} @@ -58,6 +58,11 @@ spec: - mountPath: /var/secrets/gpg-secrets/private-keys-v1.d name: sops-operator-gpg-keys2 {{- end }} + {{- range .Values.secretsAsFiles }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: true + {{- end }} command: - /usr/local/bin/manager args: @@ -97,9 +102,16 @@ spec: name: {{ $secretname }} key: clientSecret {{- end }} + {{- range .Values.secretsAsEnvVars }} + - name: {{ .name }} + valueFrom: + secretKeyRef: + name: {{ .secretName }} + key: {{ .secretKey }} + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if or .Values.gcp.enabled .Values.gpg.enabled }} + {{- if or .Values.gcp.enabled .Values.gpg.enabled .Values.secretsAsFiles }} volumes: {{- end }} {{- if .Values.gcp.enabled }} @@ -121,6 +133,11 @@ spec: - name: sops-gpg emptyDir: {} {{- end }} + {{- range .Values.secretsAsFiles }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/chart/helm3/sops-secrets-operator/tests/operator_test.yaml b/chart/helm3/sops-secrets-operator/tests/operator_test.yaml new file mode 100644 index 00000000..598d230a --- /dev/null +++ b/chart/helm3/sops-secrets-operator/tests/operator_test.yaml @@ -0,0 +1,280 @@ +--- +suite: operator deployment tests +templates: + - operator.yaml + +tests: + + # api + - it: should set correct kind and apiVersion + asserts: + - isKind: + of: Deployment + - isAPIVersion: + of: apps/v1 + - hasDocuments: + count: 1 + + # deployment metadata and labels + - it: should correctly render deployment metadata + release: + name: sops + namespace: sops + asserts: + - equal: + path: metadata.name + value: sops-sops-secrets-operator + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: sops + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: sops-secrets-operator + app.kubernetes.io/version: 0.1.5 + helm.sh/chart: sops-secrets-operator-0.4.8 + + # template metadata and spec selector + - it: should correctly render template metadata and spec selector + release: + name: sops + namespace: sops + asserts: + - equal: + path: spec.selector.matchLabels + value: + app.kubernetes.io/instance: sops + app.kubernetes.io/name: sops-secrets-operator + - equal: + path: spec.template.metadata.labels + value: + app.kubernetes.io/instance: sops + app.kubernetes.io/name: sops-secrets-operator + + # replicas + - it: should correctly set default replicas + asserts: + - equal: + path: spec.replicas + value: 1 + + - it: should correctly set overriden replicas + set: + replicaCount: 5 + asserts: + - equal: + path: spec.replicas + value: 5 + + # pod annotations + - it: pod annotations should be empty by default + asserts: + - isEmpty: + path: spec.template.metadata.annotations + + - it: should render pod annotations if set in values + set: + podAnnotations: + abc: qqq + cde: zzz + asserts: + - equal: + path: spec.template.metadata.annotations + value: + abc: qqq + cde: zzz + + # image pull secrets + - it: imagePullSecrets should be empty by default + asserts: + - isEmpty: + path: spec.template.spec.imagePullSecrets + + - it: should correctly render imagePullSecrets + set: + imagePullSecrets: + - name: my-harbor + - name: your-harbor + asserts: + - isNotEmpty: + path: spec.template.spec.imagePullSecrets + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: my-harbor + - equal: + path: spec.template.spec.imagePullSecrets[1].name + value: your-harbor + + # service account name (TODO: full coverage of include sops-secrets-operator.fullname) + - it: should correctly render deployment metadata + release: + name: sops + namespace: sops + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: sops-sops-secrets-operator + + # GPG init container + - it: should not create GPG init container by default + asserts: + - isEmpty: + path: spec.template.spec.initContainers + + - it: should create GPG init container if enabled + set: + gpg: + enabled: true + asserts: + - isNotEmpty: + path: spec.template.spec.initContainers + + # container name + - it: should set default image settings wrong + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: sops-secrets-operator + + # container image and pull policy + - it: should set default image + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: isindir/sops-secrets-operator:0.1.5 + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: Always + + - it: should render nondefault image pull policy and image name + set: + image: + repository: myharbor.example.net/sops + tag: 0.42.0 + pullPolicy: ifNotPresent + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: ifNotPresent + - equal: + path: spec.template.spec.containers[0].image + value: myharbor.example.net/sops:0.42.0 + + # container volume mounts + - it: should render empty set of volume mounts by default + asserts: + - isEmpty: + path: spec.template.spec.containers[0].volumeMounts + + - it: should render gcp volume mount if enabled + set: + gcp: + enabled: true + asserts: + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].mountPath + value: /var/secrets/google + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].name + value: sops-operator-gke-svc-account + + - it: should render gpg volume mounts if enabled + set: + gpg: + enabled: true + asserts: + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].mountPath + value: /var/secrets/gpg + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].name + value: sops-gpg + - equal: + path: spec.template.spec.containers[0].volumeMounts[1].mountPath + value: /var/secrets/gpg-secrets + - equal: + path: spec.template.spec.containers[0].volumeMounts[1].name + value: sops-operator-gpg-keys1 + - equal: + path: spec.template.spec.containers[0].volumeMounts[2].mountPath + value: /var/secrets/gpg-secrets/private-keys-v1.d + - equal: + path: spec.template.spec.containers[0].volumeMounts[2].name + value: sops-operator-gpg-keys2 + + - it: should render secret volume mounts if set + set: + secretsAsFiles: + - name: foo + mountPath: "/etc/foo" + secretName: mysecret + asserts: + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].mountPath + value: /etc/foo + - equal: + path: spec.template.spec.containers[0].volumeMounts[0].name + value: foo + + # default env vars + - it: by default renders only one variable + asserts: + - equal: + path: spec.template.spec.containers[0].env + value: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + + # env var GOOGLE_APPLICATION_CREDENTIALS + - it: if gcp enabled adds GOOGLE_APPLICATION_CREDENTIALS env var + set: + gcp: + enabled: true + asserts: + - equal: + path: spec.template.spec.containers[0].env[1] + value: + name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/secrets/google/key.json + + # env var GNUPGHOME + - it: if gpg enabled adds GNUPGHOME env var + set: + gpg: + enabled: true + asserts: + - equal: + path: spec.template.spec.containers[0].env[1] + value: + name: GNUPGHOME + value: /var/secrets/gpg + + # custom env vars + - it: if secretsAsEnvVars adds new env vars + set: + secretsAsEnvVars: + - name: SECRET_GREETING + secretName: my-secret-greeting + secretKey: greeting + - name: ANOTHER_SECRET_GREETING + secretName: another-secret-greeting + secretKey: greeting + asserts: + - equal: + path: spec.template.spec.containers[0].env + value: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SECRET_GREETING + valueFrom: + secretKeyRef: + key: greeting + name: my-secret-greeting + - name: ANOTHER_SECRET_GREETING + valueFrom: + secretKeyRef: + key: greeting + name: another-secret-greeting diff --git a/chart/helm3/sops-secrets-operator/values.yaml b/chart/helm3/sops-secrets-operator/values.yaml index a382bb42..e0d54143 100644 --- a/chart/helm3/sops-secrets-operator/values.yaml +++ b/chart/helm3/sops-secrets-operator/values.yaml @@ -41,6 +41,18 @@ azure: # Pre-existing secret must contain the keys tenantId, clientId and clientSecret with the appropriate values existingSecretName: '' # Name of a pre-existing secret containing Azure Service Principal Credentials (ClientID, ClientSecret, TenantID) +secretsAsEnvVars: [] # configure custom secrets to be used as environment variables at runtime, see values.yaml +#- name: SECRET_GREETING +# secretName: my-secret-greeting +# secretKey: greeting + +secretsAsFiles: [] # configure custom secrets to be mounted at runtime, see values.yaml +# All files within secret will be mounted in "/etc/foo" - same as 1st example in k8s documentation +# all secrets will be mounted as readonly +#- name: foo +# mountPath: "/etc/foo" +# secretName: mysecret + resources: {} # Operator container resources # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml index 58db114f..3d46cff8 100644 --- a/config/certmanager/certificate.yaml +++ b/config/certmanager/certificate.yaml @@ -1,6 +1,6 @@ # The following manifests contain a self-signed issuer CR and a certificate CR. # More document can be found at https://docs.cert-manager.io -# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for +# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for # breaking changes apiVersion: cert-manager.io/v1alpha2 kind: Issuer diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml index 90d7c313..e631f777 100644 --- a/config/certmanager/kustomizeconfig.yaml +++ b/config/certmanager/kustomizeconfig.yaml @@ -1,4 +1,4 @@ -# This configuration is for teaching kustomize how to update name ref and var substitution +# This configuration is for teaching kustomize how to update name ref and var substitution nameReference: - kind: Issuer group: cert-manager.io diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 2cdfb650..16f65142 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -16,12 +16,12 @@ bases: - ../crd - ../rbac - ../manager -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml #- ../webhook # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. #- ../certmanager -# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. +# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus patchesStrategicMerge: @@ -30,7 +30,7 @@ patchesStrategicMerge: # endpoint w/o any authn/z, please comment the following line. - manager_auth_proxy_patch.yaml -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml #- manager_webhook_patch.yaml diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 77e743d1..a945ed17 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -1,4 +1,4 @@ -# This patch inject a sidecar container which is a HTTP proxy for the +# This patch inject a sidecar container which is a HTTP proxy for the # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. apiVersion: apps/v1 kind: Deployment diff --git a/docs/index.yaml b/docs/index.yaml index 22ba7d64..d2256a4b 100644 --- a/docs/index.yaml +++ b/docs/index.yaml @@ -3,7 +3,22 @@ entries: sops-secrets-operator: - apiVersion: v2 appVersion: 0.1.5 - created: "2020-10-15T09:39:19.671139+01:00" + created: "2020-11-05T13:48:24.16982Z" + description: sops secrets operator + digest: 1183ae6248f462f5e8e8c2748e448e118d8494ada81779d87198b814908cf703 + maintainers: + - email: isindir@users.sf.net + name: isindir + name: sops-secrets-operator + sources: + - https://github.com/isindir/sops-secrets-operator.git + type: application + urls: + - https://isindir.github.io/sops-secrets-operator/sops-secrets-operator-0.4.8.tgz + version: 0.4.8 + - apiVersion: v2 + appVersion: 0.1.5 + created: "2020-11-05T13:48:24.168999Z" description: sops secrets operator digest: 606a6b9b4920cb789ec4f54c3d05178ce5d7443f3549a1b06d9c3b2a78e1ed23 maintainers: @@ -18,7 +33,7 @@ entries: version: 0.4.7 - apiVersion: v2 appVersion: 0.1.5 - created: "2020-10-15T09:39:19.670237+01:00" + created: "2020-11-05T13:48:24.168166Z" description: sops secrets operator digest: 01baf656c0b3ec5c1e4d5bba8085aa6015c8bc244259015181b52ea92258e13d maintainers: @@ -33,7 +48,7 @@ entries: version: 0.4.6 - apiVersion: v2 appVersion: 0.1.4 - created: "2020-10-15T09:39:19.669239+01:00" + created: "2020-11-05T13:48:24.167289Z" description: sops secrets operator digest: c71f9f66be32f8b9d3c8d780b09b2455a40fd9755314004efd2bb8d379dafe3c maintainers: @@ -48,7 +63,7 @@ entries: version: 0.4.5 - apiVersion: v2 appVersion: 0.1.3 - created: "2020-10-15T09:39:19.668476+01:00" + created: "2020-11-05T13:48:24.166416Z" description: sops secrets operator digest: f3f2f89d4ef6018776df0a12a63dd2f9c9519b9d1ac03a9a405e31d0fd902ba0 maintainers: @@ -63,7 +78,7 @@ entries: version: 0.4.4 - apiVersion: v2 appVersion: 0.1.2 - created: "2020-10-15T09:39:19.667843+01:00" + created: "2020-11-05T13:48:24.165536Z" description: sops secrets operator digest: 1fd5eed318627f5ed0656f4e8ce4a25729568a1626ae313bcbe21050f5f26240 maintainers: @@ -78,7 +93,7 @@ entries: version: 0.4.3 - apiVersion: v2 appVersion: 0.1.2 - created: "2020-10-15T09:39:19.667288+01:00" + created: "2020-11-05T13:48:24.164711Z" description: sops secrets operator digest: 1f4f9869c75f0922e83ba5d530e101bd4252d5c1c31365800cc9d1425680cf18 maintainers: @@ -93,7 +108,7 @@ entries: version: 0.4.2 - apiVersion: v2 appVersion: 0.1.1 - created: "2020-10-15T09:39:19.666725+01:00" + created: "2020-11-05T13:48:24.163518Z" description: sops secrets operator digest: 6b054a4e9f261eea3cb84ee2e70b87b24780f1703e2c218ea5f69b7f82d1876f maintainers: @@ -108,7 +123,7 @@ entries: version: 0.4.1 - apiVersion: v2 appVersion: 0.1.0 - created: "2020-10-15T09:39:19.666166+01:00" + created: "2020-11-05T13:48:24.162621Z" description: sops secrets operator digest: 78b62ab37eac1b45f0a68a9752a3615c5d3f1c960bb4057e665923ce104931cf maintainers: @@ -123,7 +138,21 @@ entries: version: 0.4.0 - apiVersion: v1 appVersion: 0.1.5 - created: "2020-10-15T09:39:19.665638+01:00" + created: "2020-11-05T13:48:24.161763Z" + description: sops secrets operator + digest: 6d75e92d86ae701c490a3b5333f405680a1fcfc4be5fbbaedce254b3b5364b41 + maintainers: + - email: isindir@users.sf.net + name: isindir + name: sops-secrets-operator + sources: + - https://github.com/isindir/sops-secrets-operator.git + urls: + - https://isindir.github.io/sops-secrets-operator/sops-secrets-operator-0.3.7.tgz + version: 0.3.7 + - apiVersion: v1 + appVersion: 0.1.5 + created: "2020-11-05T13:48:24.160888Z" description: sops secrets operator digest: 1103b1f7bf7af3f400c172227cd5a3659f3a03e5e8158b19ba0b25f7ed45208b maintainers: @@ -137,7 +166,7 @@ entries: version: 0.3.6 - apiVersion: v1 appVersion: 0.1.5 - created: "2020-10-15T09:39:19.665101+01:00" + created: "2020-11-05T13:48:24.160096Z" description: sops secrets operator digest: 15c72ba7fb09d0e980ec32fd94f56893c439c05c435281a9ab9c8bc94bd20063 maintainers: @@ -151,7 +180,7 @@ entries: version: 0.3.5 - apiVersion: v1 appVersion: 0.1.4 - created: "2020-10-15T09:39:19.664564+01:00" + created: "2020-11-05T13:48:24.159008Z" description: sops secrets operator digest: 025a6a6381b75286756ef55105ace6e911e5a5818b495ede6356cc8ec572aeac maintainers: @@ -165,7 +194,7 @@ entries: version: 0.3.4 - apiVersion: v1 appVersion: 0.1.3 - created: "2020-10-15T09:39:19.664016+01:00" + created: "2020-11-05T13:48:24.156747Z" description: sops secrets operator digest: f61b070b640169439cf4ab500047c1e356748a85871f7aeefde46d63d87d453a maintainers: @@ -179,7 +208,7 @@ entries: version: 0.3.3 - apiVersion: v1 appVersion: 0.1.2 - created: "2020-10-15T09:39:19.663457+01:00" + created: "2020-11-05T13:48:24.155057Z" description: sops secrets operator digest: 2b37dc4e545e8a9540f6b7693079b98bf161ec5a68899defcfc9420bdcbb33e3 maintainers: @@ -193,7 +222,7 @@ entries: version: 0.3.2 - apiVersion: v1 appVersion: 0.1.1 - created: "2020-10-15T09:39:19.662775+01:00" + created: "2020-11-05T13:48:24.153448Z" description: sops secrets operator digest: 2e2762b8f9d66aab0caacde225955fec8bfd5a4cc10dc6943a1de3809dda4091 maintainers: @@ -207,7 +236,7 @@ entries: version: 0.3.1 - apiVersion: v1 appVersion: 0.1.0 - created: "2020-10-15T09:39:19.661616+01:00" + created: "2020-11-05T13:48:24.152408Z" description: sops secrets operator digest: ce84f5b64402a582c7689cb842ba03fb10f968c38b57dc9e05f588493128019a maintainers: @@ -221,7 +250,7 @@ entries: version: 0.3.0 - apiVersion: v2 appVersion: 0.0.10 - created: "2020-10-15T09:39:19.659907+01:00" + created: "2020-11-05T13:48:24.150291Z" description: sops secrets operator digest: 5e4c8bc37ea2c819c55b288c0a5e76ff8c9c02be591bd53776606666af45581c maintainers: @@ -236,7 +265,7 @@ entries: version: 0.2.1 - apiVersion: v1 appVersion: 0.0.10 - created: "2020-10-15T09:39:19.65925+01:00" + created: "2020-11-05T13:48:24.149107Z" description: sops secrets operator digest: 50b8ebab19008dfc43de1eaee8b0f6287f7a55134585dc6ae88df2520d779f8f maintainers: @@ -248,4 +277,4 @@ entries: urls: - https://isindir.github.io/sops-secrets-operator/sops-secrets-operator-0.1.10.tgz version: 0.1.10 -generated: "2020-10-15T09:39:19.65836+01:00" +generated: "2020-11-05T13:48:24.146725Z" diff --git a/docs/sops-secrets-operator-0.3.7.tgz b/docs/sops-secrets-operator-0.3.7.tgz new file mode 100644 index 00000000..a2702a9f Binary files /dev/null and b/docs/sops-secrets-operator-0.3.7.tgz differ diff --git a/docs/sops-secrets-operator-0.4.8.tgz b/docs/sops-secrets-operator-0.4.8.tgz new file mode 100644 index 00000000..6315af7e Binary files /dev/null and b/docs/sops-secrets-operator-0.4.8.tgz differ