up: kubebuilder and related kube version to v1.22.x (#91)

* up: kubebuilder and related kube version to v1.22.x
isindir · Nov 4, 2021 · b8df542 · b8df542
1 parent 8a58554
commit b8df542
Show file tree

Hide file tree

Showing 21 changed files with 358 additions and 231 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -13,13 +13,13 @@ jobs:
       # https://golang.org/dl/
       GOLANG_VERSION: "1.17.2"
       # https://github.com/kubernetes-sigs/kubebuilder/releases
-      KUBEBUILDER_VERSION: 3.1.0
+      KUBEBUILDER_VERSION: 3.2.0
       # https://github.com/kubernetes-sigs/kustomize/releases
       KUSTOMIZE_VERSION: v4.4.0
       # https://github.com/github/hub/releases
       HUB_VERSION: 2.14.2
       # https://github.com/git-chglog/git-chglog/releases
-      GIT_CHGLOG_VERSION: 0.14.2
+      GIT_CHGLOG_VERSION: 0.15.0
       # https://github.com/docker/buildx/releases
       BUILDX_BINARY_VERSION: 0.6.3
 
@@ -101,15 +101,15 @@ jobs:
       image: ubuntu-2004:202107-02
     environment:
       # https://github.com/kubernetes/kubernetes/releases
-      KUBECTL_VERSION: v1.21.4
+      KUBECTL_VERSION: v1.22.2
       # https://github.com/rancher/k3d/releases
       K3D_VERSION: v4.4.7
       # https://github.com/helm/helm/releases
       HELM_VERSION: v3.7.1
       # https://golang.org/dl/
       GOLANG_VERSION: "1.17.2"
       # https://github.com/kubernetes-sigs/kubebuilder/releases
-      KUBEBUILDER_VERSION: 3.1.0
+      KUBEBUILDER_VERSION: 3.2.0
       # https://github.com/mozilla/sops/releases
       SOPS_VERSION: v3.7.1
       # https://github.com/kubernetes-sigs/kustomize/releases
@@ -229,7 +229,7 @@ jobs:
       - run:
           name: start k3d
           command: |
-            k3d cluster create operator --agents 1
+            k3d cluster create operator --agents 1 --image rancher/k3s:${KUBECTL_VERSION}-k3s2
             JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status};{end}{end}';
             until kubectl get nodes -o jsonpath="$JSONPATH" 2>&1 | grep -q "Ready=True"; do
               sleep 1;

diff --git a/.tool-versions b/.tool-versions
@@ -1,5 +1,5 @@
 # https://github.com/kubernetes-sigs/kubebuilder/releases
-kubebuilder 3.1.0
+kubebuilder 3.2.0
 # https://golang.org/dl/
 golang 1.17.2
 # https://github.com/mozilla/sops/releases
@@ -9,10 +9,10 @@ kustomize 4.4.0
 # https://github.com/rancher/k3d/releases
 k3d 4.4.7
 # https://github.com/kubernetes/kubernetes/releases
-kubectl 1.21.4
+kubectl 1.22.2
 # https://github.com/helm/helm/releases
 helm 3.7.1
 # https://github.com/instrumenta/kubeval/releases
 kubeval v0.16.1
 # https://github.com/git-chglog/git-chglog/releases
-git-chglog 0.14.2
+git-chglog 0.15.0
diff --git a/Makefile b/Makefile
@@ -1,16 +1,17 @@
 GO := GOPROXY=https://proxy.golang.org go
-SOPS_SEC_OPERATOR_VERSION := 0.3.6
+SOPS_SEC_OPERATOR_VERSION := 0.3.7
 
 # https://github.com/kubernetes-sigs/controller-tools/releases
-CONTROLLER_GEN_VERSION := "v0.6.2"
+CONTROLLER_GEN_VERSION := "v0.7.0"
 # https://github.com/kubernetes-sigs/controller-runtime/releases
-CONTROLLER_RUNTIME_VERSION := "v0.9.6"
+CONTROLLER_RUNTIME_VERSION := "v0.10.2"
 # https://github.com/kubernetes-sigs/kustomize/releases
 KUSTOMIZE_VERSION := "v4.4.0"
 # use `setup-envtest list` to obtain the list of available versions
 # until fixed, can't use newer version, see:
 #   https://github.com/kubernetes-sigs/controller-runtime/issues/1571
-KUBE_VERSION := "1.20.2"
+# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
+ENVTEST_K8S_VERSION := "1.22.1"
 
 # Use existing cluster instead of starting processes
 USE_EXISTING_CLUSTER ?= true
@@ -20,7 +21,7 @@ IMG ?= ${IMG_NAME}:${SOPS_SEC_OPERATOR_VERSION}
 IMG_LATEST ?= ${IMG_NAME}:latest
 IMG_CACHE ?= ${IMG_NAME}:cache
 BUILDX_PLATFORMS ?= linux/amd64,linux/arm64
-# Produce CRDs that work back to Kubernetes 1.16
+# Produce CRDs are backwards compatible up to Kubernetes 1.16
 CRD_OPTIONS ?= crd:crdVersions=v1
 
 TMP_COVER_FILE="cover.out"
@@ -41,6 +42,7 @@ endif
 SHELL = /usr/bin/env bash -o pipefail
 .SHELLFLAGS = -ec
 
+.PHONY: all
 all: build
 
 ##@ General
@@ -56,67 +58,80 @@ all: build
 # More info on the awk command:
 # http://linuxcommand.org/lc3_adv_awk.php
 
+.PHONY: help
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
+.PHONY: clean
 clean: ## Cleans dependency directories.
 	rm -fr ./vendor
 	rm -fr ./testbin
 	rm -fr ./bin
 	rm -f $(TMP_COVER_HTML_FILE) $(TMP_COVER_FILE)
 
+.PHONY: tidy
 tidy: ## Fetches all go dependencies.
 	$(GO) mod tidy
 	$(GO) mod vendor
 
+.PHONY: pre-commit
 pre-commit: ## Update and runs pre-commit.
 	pre-commit install
 	pre-commit autoupdate
 	pre-commit run -a
 
 ##@ Helm
 
+.PHONY: package-helm
 package-helm: ## Repackages helm chart.
 	@{ \
 		( cd docs; \
 			helm package ../chart/helm3/sops-secrets-operator ; \
 			helm repo index . --url https://isindir.github.io/sops-secrets-operator ) ; \
 	}
 
+.PHONY: test-helm
 test-helm: ## Tests helm chart.
 	@{ \
 		$(MAKE) -C chart/helm3/sops-secrets-operator all ; \
 	}
 
 ##@ Development
 
+.PHONY: manifests
 manifests: tidy controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
+.PHONY: generate
 generate: controller-gen tidy ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
 	@echo
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
+.PHONY: fmt
 fmt: ## Run go fmt against code.
 	$(GO) fmt ./...
 
+.PHONY: vet
 vet: ## Run go vet against code.
 	$(GO) vet ./...
 
-test: setup-envtest manifests generate fmt vet ## Run tests.
-	SOPS_AGE_RECIPIENTS="age1pnmp2nq5qx9z4lpmachyn2ld07xjumn98hpeq77e4glddu96zvms9nn7c8" SOPS_AGE_KEY_FILE="${PWD}/config/age-test-key/key-file.txt" KUBEBUILDER_ASSETS="$(shell $(SETUP_ENVTEST) use -p path --force ${KUBE_VERSION})" $(GO) test ./... -coverpkg=./controllers/... -coverprofile=$(TMP_COVER_FILE)
+.PHONY: test
+test: manifests generate fmt vet envtest ## Run tests.
+	SOPS_AGE_RECIPIENTS="age1pnmp2nq5qx9z4lpmachyn2ld07xjumn98hpeq77e4glddu96zvms9nn7c8" SOPS_AGE_KEY_FILE="${PWD}/config/age-test-key/key-file.txt" KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path --force)" $(GO) test ./... -coverpkg=./controllers/... -coverprofile=$(TMP_COVER_FILE)
 
 cover: test ## Run tests with coverage.
 	$(GO) tool cover -func=$(TMP_COVER_FILE)
 	$(GO) tool cover -o $(TMP_COVER_HTML_FILE) -html=$(TMP_COVER_FILE)
 
 ##@ Build
 
+.PHONY: build
 build: generate fmt vet ## Build manager binary.
-	go build -o bin/manager main.go
+	$(GO) build -o bin/manager main.go
 
+.PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.
-	go run ./main.go
+	$(GO) run ./main.go
 
 docker-login: ## Performs logging to dockerhub using DOCKERHUB_USERNAME and DOCKERHUB_PASS environment variables.
 	echo "${DOCKERHUB_PASS}" | base64 -d | docker login -u "${DOCKERHUB_USERNAME}" --password-stdin
@@ -126,21 +141,28 @@ docker-cross-build: ## Build multi-arch docker image.
 	docker buildx build --quiet --cache-from=${IMG_CACHE} --cache-to=${IMG_CACHE} --platform ${BUILDX_PLATFORMS} -t ${IMG} .
 
 docker-build-dont-test: generate fmt vet manifests ## Build the docker image without running tests.
-	docker build . -t ${IMG}
+	docker build -t ${IMG} .
 	docker tag ${IMG} ${IMG_LATEST}
 
+.PHONY: docker-build
 docker-build: test ## Build docker image with the manager.
-	docker build . -t ${IMG}
+	docker build -t ${IMG} .
 	docker tag ${IMG} ${IMG_LATEST}
 
+.PHONY: docker-push
 docker-push: ## Push docker image with the manager.
 	docker push ${IMG}
 	docker push ${IMG_LATEST}
 
 ##@ Deployment
 
+ifndef ignore-not-found
+  ignore-not-found = false
+endif
+
 # TODO: re-tag with crane image to latest
 #       https://michaelsauter.github.io/crane/docs.html
+.PHONY: release
 release: controller-gen generate fmt vet manifests ## Creates github release and pushes docker image to dockerhub.
 	@{ \
 		set +e ; \
@@ -156,36 +178,43 @@ release: controller-gen generate fmt vet manifests ## Creates github release and
 		fi ; \
 	}
 
+.PHONY: inspect
 inspect: ## Inspects remote docker 'image tag' - target fails if it does find existing tag.
 	@echo "Inspect remote image"
 	@! DOCKER_CLI_EXPERIMENTAL="enabled" docker manifest inspect ${IMG} >/dev/null \
 		|| { echo "Image already exists"; exit 1; }
 
+.PHONY: install
 install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/crd | kubectl apply -f -
 
-uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config.
-	$(KUSTOMIZE) build config/crd | kubectl delete -f -
+.PHONY: uninstall
+uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
+	$(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
 
+.PHONY: deploy
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	$(KUSTOMIZE) build config/default | kubectl apply -f -
 
-undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
-	$(KUSTOMIZE) build config/default | kubectl delete -f -
-
+.PHONY: undeploy
+undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
+	$(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
 
 CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
+.PHONY: controller-gen
 controller-gen: ## Download controller-gen locally if necessary.
 	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@${CONTROLLER_GEN_VERSION})
 
 KUSTOMIZE = $(shell pwd)/bin/kustomize
+.PHONY: kustomize
 kustomize: ## Download kustomize locally if necessary.
 	$(call go-get-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v4@${KUSTOMIZE_VERSION})
 
-SETUP_ENVTEST = $(shell pwd)/bin/setup-envtest
-setup-envtest: ## Download setup-envtest locally if necessary.
-	$(call go-install-tool,$(SETUP_ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
+ENVTEST = $(shell pwd)/bin/setup-envtest
+.PHONY: envtest
+envtest: ## Download setup-envtest locally if necessary.
+	$(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
 
 GINKGO = $(shell pwd)/ginkgo
 setup-ginkgo: ## Download ginkgo locally
@@ -205,7 +234,7 @@ rm -rf $$TMP_DIR ;\
 }
 endef
 
-# go-get-tool will 'go get' any package $2 and install it to $1
+# go-get-tool will 'go get' any package $2 and install it to $1.
 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 define go-get-tool
 @[ -f $(1) ] || { \

diff --git a/README.md b/README.md
@@ -12,11 +12,18 @@ CRs, inspired by [Bitnami SealedSecrets](https://github.com/bitnami-labs/sealed-
 [sops](https://github.com/mozilla/sops). SopsSecret CR defines multiple
 kubernetes Secret resources. It supports managing kubernetes Secrets with
 annotations and labels, that allows using these kubernetes secrets as [Jenkins Credentials](https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/).
-The SopsSecret resources can be deployed by [Weaveworks Flux GitOps CD](https://www.weave.works/blog/managing-helm-releases-the-gitops-way) and
+The SopsSecret resources can be deployed by [Weaveworks Flux GitOps CD](https://fluxcd.io/) and
 encrypted using [sops](https://github.com/mozilla/sops) for AWS, GCP, Azure or
 on-prem hosted kubernetes clusters. Using `sops` greatly simplifies changing
 encrypted files stored in `git` repository.
 
+# Versioning
+
+| Kubernetes | Chart | Operator |
+|---|---|---|
+| v1.22.x | 0.9.7 | 0.3.7 |
+| v1.21.x | 0.9.6 | 0.3.6 |
+
 # Requirements for building operator from source code
 
 Requirements for building operator from source code can be found in [.tool-versions](.tool-versions), this file can be used with [asdf](https://asdf-vm.com/#/)
@@ -276,11 +283,21 @@ Projects and tools inspired development of `sops-secrets-operator`:
   * [helm secrets plugin](https://github.com/futuresimple/helm-secrets)
 * [kiam](https://github.com/uswitch/kiam)
 * [kube2iam](https://github.com/jtblin/kube2iam)
-* [Weaveworks Flux - GitOps](https://www.weave.works/blog/managing-helm-releases-the-gitops-way)
-  * [Flux github repository](https://github.com/weaveworks/flux)
+* [Weaveworks Flux GitOps CD](https://fluxcd.io/) - flux supports `sops` out of the box
+  * [Flux github repositories](https://github.com/fluxcd)
 * [Jenkins Configuration as Code](https://jenkins.io/projects/jcasc/)
   * [Jenkins - Kubernetes Credentials Provider](https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/)
   * [Jenkins Kubernetes Plugin](https://github.com/jenkinsci/kubernetes-plugin)
 * [Bitnami SealedSecrets](https://github.com/bitnami-labs/sealed-secrets)
 * [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder)
   * [operator-sdk](https://github.com/operator-framework/operator-sdk)
+
+## Similar tools
+
+* [Kubernetes external secrets](https://github.com/godaddy/kubernetes-external-secrets)
+* [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
+* [Secrets Store CSI driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver)
+* [Kamus](https://kamus.soluto.io/)
+* [Sops Operator](https://github.com/craftypath/sops-operator)
+* [Tesoro](https://github.com/kapicorp/tesoro)
+* [Vault Secrets Operator](https://github.com/ricoberger/vault-secrets-operator)
diff --git a/chart/helm3/sops-secrets-operator/Chart.yaml b/chart/helm3/sops-secrets-operator/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-version: 0.9.6
-appVersion: 0.3.6
+version: 0.9.7
+appVersion: 0.3.7
 type: application
 description: Helm chart deploys sops-secrets-operator
 name: sops-secrets-operator

diff --git a/chart/helm3/sops-secrets-operator/Makefile b/chart/helm3/sops-secrets-operator/Makefile
@@ -3,15 +3,24 @@
 CHART_NAME?=$(shell cat Chart.yaml | awk 'BEGIN { FS=": " } $$0~/^name:/ { gsub(/['\'',]/, ""); print $$2; }')
 VERSION_TAG?=$(shell cat Chart.yaml | awk 'BEGIN { FS=": " } $$0~/^version/ { gsub(/['\'',]/, ""); print $$2; }')
 
+# use `setup-envtest list` to obtain the list of available versions
+# until fixed, can't use newer version, see:
+#   https://github.com/kubernetes-sigs/controller-runtime/issues/1571
+# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
+ENVTEST_K8S_VERSION := "1.22.1"
+
 SHELL=/bin/bash
 
 ##@ General
 
+.PHONY: all
 all: echo lint test validate ## run all test targets
 
+.PHONY: help
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
+.PHONY: versions
 versions: ## shows currently installed tool versions
 	helm version ; echo
 	helm plugin list | grep unittest ; echo
@@ -26,21 +35,25 @@ versions: ## shows currently installed tool versions
 	@asdf current kubeval
 	@echo '--------------------'
 
+.PHONY: echo
 echo: ## prints chart information
 	@echo '-=-=-=-=-=-=-=-=-=-=- "${CHART_NAME}" version: "${VERSION_TAG}" -=-=-=-=-=-=-=-=-=-=-'
 
+.PHONY: test
 test: ## runs unittests
 	helm unittest --helm3 --color .
 	@echo '--------------------'
 
+.PHONY: lint
 lint: ## runs helm chart linting
 	helm lint .
 	@echo '--------------------'
 
+.PHONY: validate
 validate: ## validates rendered chart templates using 'kubeval'
 	helm template . --set securityContextenabled=true \
 		| kubeval --force-color \
 				--strict \
 				--schema-location https://raw.githubusercontent.com/Onemind-Services-LLC/kubernetes-json-schema/master/schema \
-				--kubernetes-version 1.21.4 -
+				--kubernetes-version $(ENVTEST_K8S_VERSION) -
 	@echo '--------------------'
diff --git a/chart/helm3/sops-secrets-operator/README.md b/chart/helm3/sops-secrets-operator/README.md
@@ -131,7 +131,7 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | healthProbes.readiness | object | `{"initialDelaySeconds":5,"periodSeconds":10}` | Readiness probe configuration |
 | image.pullPolicy | string | `"Always"` | Operator image pull policy |
 | image.repository | string | `"isindir/sops-secrets-operator"` | Operator image name |
-| image.tag | string | `"0.3.6"` | Operator image tag |
+| image.tag | string | `"0.3.7"` | Operator image tag |
 | imagePullSecrets | list | `[]` | Secrets to pull image from private docker repository |
 | initImage.pullPolicy | string | `"Always"` | Init container image pull policy |
 | initImage.repository | string | `"ubuntu"` | Init container image name |