Skip to content

Commit

Permalink
feat: update cluster role to allow eventing; deprecate helm2 chart; a…
Browse files Browse the repository at this point in the history 
…dd requeueAfter decryption error (#46)

* feat: update cluster role to allow eventing
* fix: deprecate helm2 chart
* feat: add requeueAfter decryption error
* pipe: improve helm tests
* package helm
  • Loading branch information
@isindir
isindir authored Jan 1, 2021
1 parent a4453e1 commit ae8f02d
Show file tree
Hide file tree
Showing 13 changed files with 273 additions and 50 deletions.
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.2.0
rev: v3.4.0
hooks:
- id: check-symlinks
- id: check-merge-conflict
Expand Down
9 changes: 4 additions & 5 deletions Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,16 @@
SHELL := /bin/bash
GO := GO15VENDOREXPERIMENT=1 GO111MODULE=on GOPROXY=https://proxy.golang.org go
SOPS_SEC_OPERATOR_VERSION := 0.1.8
SOPS_SEC_OPERATOR_VERSION := 0.1.9

# https://github.com/kubernetes-sigs/controller-tools/releases
CONTROLLER_TOOLS_VERSION := "v0.3.0"

# Use existing cluster instead of starting processes
USE_EXISTING_CLUSTER ?= true
# Image URL to use all building/pushing image targets
IMG ?= isindir/sops-secrets-operator:${SOPS_SEC_OPERATOR_VERSION}
IMG_LATEST = isindir/sops-secrets-operator:latest
IMG_NAME ?= isindir/sops-secrets-operator
IMG ?= ${IMG_NAME}:${SOPS_SEC_OPERATOR_VERSION}
IMG_LATEST ?= ${IMG_NAME}:latest
# Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
CRD_OPTIONS ?= "crd:trivialVersions=true"

Expand All @@ -32,14 +33,12 @@ package-helm:
@{ \
( cd docs; \
helm package ../chart/helm3/sops-secrets-operator ; \
helm package ../chart/helm2/sops-secrets-operator ; \
helm repo index . --url https://isindir.github.io/sops-secrets-operator ) ; \
}

## test-helm: test helm charts
test-helm:
@{ \
$(MAKE) -C chart/helm2/sops-secrets-operator all ; \
$(MAKE) -C chart/helm3/sops-secrets-operator all ; \
}

Expand Down
4 changes: 4 additions & 0 deletions chart/helm2/sops-secrets-operator/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
# !!! Depricated !!!

Development of helm chart for helm v2 is stopped.

# sops-secrets-operator

Installs [sops-secrets-operator](https://github.com/isindir/sops-secrets-operator.git) to provide encrypted secrets in Weaveworks GitOps Flux environment.
Expand Down
22 changes: 20 additions & 2 deletions chart/helm3/sops-secrets-operator/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
version: 0.6.3
appVersion: 0.1.8
version: 0.6.4
appVersion: 0.1.9
type: application
description: sops secrets operator
name: sops-secrets-operator
Expand All @@ -9,3 +9,21 @@ sources:
maintainers:
- name: isindir
email: [email protected]
metadata:
annotations:
artifacthub.io/operator: "true"
artifacthub.io/links:
- name: "SOPS: Secrets OPerationS - Kubernetes Operator github project"
url: "https://github.com/isindir/sops-secrets-operator.git"
- name: "SOPS: Secrets OPerationS"
url: "https://github.com/mozilla/sops"
artifacthub.io/maintainers:
- name: isindir
email: [email protected]
artifacthub.io/operatorCapabilities: "Full Lifecycle"
artifacthub.io/crds:
- kind: SopsSecret
version: isindir.github.com/v1alpha2
name: sopssecret
displayName: SopsSecret
description: SopsSecret - encapsulates sops encrypted kubernetes secrets definitions
3 changes: 2 additions & 1 deletion chart/helm3/sops-secrets-operator/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,13 +83,14 @@ The following table lists the configurable parameters of the Sops-secrets-operat
| ------------------------ | ----------------------- | -------------- |
| `replicaCount` | Deployment replica count - should not be modified | `1` |
| `image.repository` | Operator image | `"isindir/sops-secrets-operator"` |
| `image.tag` | Operator image tag | `"0.1.8"` |
| `image.tag` | Operator image tag | `"0.1.9"` |
| `image.pullPolicy` | Operator image pull policy | `"Always"` |
| `imagePullSecrets` | Secrets to pull image from private docker repository | `[]` |
| `nameOverride` | Overrides auto-generated short resource name | `""` |
| `fullnameOverride` | Overrides auto-generated long resource name | `""` |
| `podAnnotations` | Annotations to be added to operator pod | `{}` |
| `serviceAccount.annotations` | Annotations to be added to the service account | `{}` |
| `requeueAfter` | Requeue decryption errors for reconciliation after 5 minutes. | `5` |
| `gpg.enabled` | If `true` gcp secret will be created from provided value and mounted as environment variable | `false` |
| `gpg.secret1` | Name of the secret to create - will override default secret name if specified | `"gpg1"` |
| `gpg.secret2` | Name of the secret to create - will override default secret name if specified | `"gpg2"` |
Expand Down
6 changes: 6 additions & 0 deletions chart/helm3/sops-secrets-operator/templates/cluster_role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ rules:
- secrets
verbs:
- '*'
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
Expand Down
1 change: 1 addition & 0 deletions chart/helm3/sops-secrets-operator/templates/operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ spec:
args:
#- "--metrics-addr=127.0.0.1:8080"
- "--enable-leader-election"
- "--requeue-decrypt-after={{ .Values.requeueAfter }}"
env:
- name: POD_NAME
valueFrom:
Expand Down
167 changes: 164 additions & 3 deletions chart/helm3/sops-secrets-operator/tests/operator_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,8 @@ tests:
app.kubernetes.io/instance: sops
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: sops-secrets-operator
app.kubernetes.io/version: 0.1.8
helm.sh/chart: sops-secrets-operator-0.6.3
app.kubernetes.io/version: 0.1.9
helm.sh/chart: sops-secrets-operator-0.6.4

# template metadata and spec selector
- it: should correctly render template metadata and spec selector
Expand Down Expand Up @@ -140,7 +140,7 @@ tests:
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: isindir/sops-secrets-operator:0.1.8
value: isindir/sops-secrets-operator:0.1.9
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
Expand Down Expand Up @@ -250,6 +250,57 @@ tests:
name: GNUPGHOME
value: /var/secrets/gpg

# Azure env vars
- it: should render Azure env vars if enabled, using existing secret
set:
azure:
enabled: true
tenantId: 'one-two-three'
clientId: 'three-two-one'
existingSecretName: 'existing-azure-secret'
asserts:
- equal:
path: spec.template.spec.containers[0].env[1]
value:
name: AZURE_TENANT_ID
valueFrom:
secretKeyRef:
name: existing-azure-secret
key: tenantId
- equal:
path: spec.template.spec.containers[0].env[2]
value:
name: AZURE_CLIENT_ID
valueFrom:
secretKeyRef:
name: existing-azure-secret
key: clientId
- equal:
path: spec.template.spec.containers[0].env[3]
value:
name: AZURE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: existing-azure-secret
key: clientSecret

- it: should render Azure env vars if enabled, using generated secret
set:
azure:
enabled: true
tenantId: 'one-two-three'
clientId: 'three-two-one'
clientSecret: 'my-azure-secret'
asserts:
- equal:
path: spec.template.spec.containers[0].env[1]
value:
name: AZURE_TENANT_ID
valueFrom:
secretKeyRef:
name: sops-secrets-operator-azure-secret
key: tenantId

# custom env vars
- it: if secretsAsEnvVars adds new env vars
set:
Expand Down Expand Up @@ -295,3 +346,113 @@ tests:
fieldPath: metadata.name
- name: AWS_SDK_LOAD_CONFIG
value: "1"

# controller container resources
- it: should not render container resources by default
asserts:
- isEmpty:
path: spec.template.spec.containers[0].resources

- it: should render container resources if specified
set:
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
asserts:
- equal:
path: spec.template.spec.containers[0].resources
value:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi

# pod volumes
- it: should not render pod volumes by default
asserts:
- isEmpty:
path: spec.template.spec.volumes

# GCP volumes
- it: should render GCP volumes
set:
gcp:
enabled: true
asserts:
- equal:
path: spec.template.spec.volumes
value:
- name: sops-operator-gke-svc-account
secret:
secretName: sops-secrets-operator-gcp-secret

- it: should render GCP volume with custom name
set:
gcp:
enabled: true
svcAccSecretCustomName: my-svc-account-gcp
asserts:
- equal:
path: spec.template.spec.volumes
value:
- name: sops-operator-gke-svc-account
secret:
secretName: my-svc-account-gcp

# GPG volumes
- it: should render GPG volumes
set:
gpg:
enabled: true
asserts:
- equal:
path: spec.template.spec.volumes
value:
- name: sops-operator-gpg-keys1
secret:
secretName: gpg1
- name: sops-operator-gpg-keys2
secret:
secretName: gpg2
- name: sops-gpg
emptyDir: {}

- it: should render GPG volumes with custom secret names
set:
gpg:
enabled: true
secret1: secret-gpg
secret2: secret-gpg
asserts:
- equal:
path: spec.template.spec.volumes
value:
- name: sops-operator-gpg-keys1
secret:
secretName: secret-gpg
- name: sops-operator-gpg-keys2
secret:
secretName: secret-gpg
- name: sops-gpg
emptyDir: {}

# secretsAsFiles volumes
- it: should render custom secrets as files
set:
secretsAsFiles:
- name: foo
mountPath: "/etc/foo"
secretName: mysecret
asserts:
- equal:
path: spec.template.spec.volumes
value:
- name: foo
secret:
secretName: mysecret
4 changes: 3 additions & 1 deletion chart/helm3/sops-secrets-operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ replicaCount: 1 # Deployment replica count - should not be modified

image:
repository: isindir/sops-secrets-operator # Operator image
tag: 0.1.8 # Operator image tag
tag: 0.1.9 # Operator image tag
pullPolicy: Always # Operator image pull policy

imagePullSecrets: [] # Secrets to pull image from private docker repository
Expand All @@ -19,6 +19,8 @@ podAnnotations: {} # Annotations to be added to operator pod
serviceAccount:
annotations: {} # Annotations to be added to the service account

requeueAfter: 5 # Requeue decryption errors for reconciliation after 5 minutes.

gpg:
enabled: false # If `true` GCP secret will be created from provided value and mounted as environment variable
secret1: gpg1 # Name of the secret to create - will override default secret name if specified
Expand Down
14 changes: 8 additions & 6 deletions controllers/sopssecret_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"encoding/json"
"fmt"
"io/ioutil"
"time"

"github.com/go-logr/logr"
"github.com/sirupsen/logrus"
Expand Down Expand Up @@ -32,8 +33,9 @@ import (
// SopsSecretReconciler reconciles a SopsSecret object
type SopsSecretReconciler struct {
client.Client
Log logr.Logger
Scheme *runtime.Scheme
Log logr.Logger
Scheme *runtime.Scheme
RequeueAfter int64
}

// Reconcile - main reconcile loop of the controller
Expand Down Expand Up @@ -78,8 +80,8 @@ func (r *SopsSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error)
// will not process instance error as we are already in error mode here
r.Status().Update(context.Background(), instanceEncrypted)

// Error conditon, but don't fail controller as it will not help, the actual error is already logged
return reconcile.Result{}, nil
// Failed to decrypt, re-schedule reconciliation in 5 minutes
return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(r.RequeueAfter) * time.Minute}, nil
}

// iterating over secret templates
Expand All @@ -98,7 +100,7 @@ func (r *SopsSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error)
"error",
err,
)
return reconcile.Result{}, nil
return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(r.RequeueAfter) * time.Minute}, nil
}

// Set SopsSecret instance as the owner and controller
Expand All @@ -117,7 +119,7 @@ func (r *SopsSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error)
"error",
err,
)
return reconcile.Result{}, nil
return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(r.RequeueAfter) * time.Minute}, nil
}

// Check if this Secret already exists
Expand Down
Loading

0 comments on commit ae8f02d

Please sign in to comment.