up: golang, controller runtime, envtest, helm unit test plugin (#128)

* up: golang, controller runtime, envtest, helm unit test plugin

* Fix typo

* Fix typo

.circleci/config.yml

@@ -8,7 +8,7 @@ jobs:
     working_directory: /home/circleci/gogo/src/github.com/isindir/sops-secrets-operator
     # UPDATE_HERE
     machine: &machine
-      # https://circleci.com/docs/2.0/configuration-reference/#available-machine-images
+      # https://circleci.com/developer/machine/image/ubuntu-2204
       #  ubuntu-2004:202201-02 - Ubuntu 20.04, Docker v20.10.12, Docker Compose v1.29.2, Google Cloud SDK updates
       #  ubuntu-2004:202201-01 - Ubuntu 20.04, Docker v20.10.12, Docker Compose v1.29.2
       #  ubuntu-2004:202111-02 - Ubuntu 20.04, Docker v20.10.11, Docker Compose v1.29.2, log4j updates
@@ -21,29 +21,29 @@ jobs:
       # https://github.com/kubernetes/kubernetes/releases
       KUBECTL_VERSION: v1.26.1
       # https://hub.docker.com/r/rancher/k3s/tags
-      K3S_VERSION: v1.26.0-k3s1
+      K3S_VERSION: v1.26.1-k3s1
       # https://github.com/rancher/k3d/releases
-      K3D_VERSION: v5.4.6
+      K3D_VERSION: v5.4.7
       # https://github.com/helm/helm/releases
-      HELM_VERSION: v3.11.0
+      HELM_VERSION: v3.11.1
       # https://golang.org/dl/
-      GOLANG_VERSION: "1.19.5"
+      GOLANG_VERSION: "1.20"
       # https://github.com/kubernetes-sigs/kubebuilder/releases
       KUBEBUILDER_VERSION: 3.9.0
       # https://github.com/mozilla/sops/releases
       SOPS_VERSION: v3.7.3
       # https://github.com/kubernetes-sigs/kustomize/releases
-      KUSTOMIZE_VERSION: v4.5.7
-      # https://github.com/quintush/helm-unittest/releases
-      HELM_UNITTEST_VERSION: 0.2.11
+      KUSTOMIZE_VERSION: v5.0.0
+      # https://github.com/helm-unittest/helm-unittest/releases
+      HELM_UNITTEST_VERSION: 0.3.0
       # https://github.com/instrumenta/kubeval/releases
       KUBEVAL_VERSION: 0.16.1
       # https://github.com/github/hub/releases
       HUB_VERSION: 2.14.2
       # https://github.com/git-chglog/git-chglog/releases
-      GIT_CHGLOG_VERSION: 0.15.2
+      GIT_CHGLOG_VERSION: 0.15.3
       # https://github.com/docker/buildx/releases
-      BUILDX_BINARY_VERSION: 0.10.0
+      BUILDX_BINARY_VERSION: 0.10.2
 
       DOCKER_BUILDKIT: 1
       BUILDX_PLATFORMS: linux/amd64,linux/arm64
@@ -194,7 +194,7 @@ jobs:
             rm -fr linux-amd64
             helm version
             # install helm-unittest plugin
-            helm plugin install https://github.com/quintush/helm-unittest --version ${HELM_UNITTEST_VERSION}
+            helm plugin install https://github.com/helm-unittest/helm-unittest --version ${HELM_UNITTEST_VERSION}
             helm unittest --help
           background: true
       - run:

.pre-commit-config.yaml

@@ -11,7 +11,7 @@ repos:
       # The `./` makes it relative to the chart-search-root set above
       - --template-files=./README.md.gotmpl
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.3.0
+  rev: v4.4.0
   hooks:
   - id: check-symlinks
   - id: check-merge-conflict

.tool-versions

@@ -2,20 +2,20 @@
 # https://github.com/kubernetes-sigs/kubebuilder/releases
 kubebuilder 3.9.0
 # https://golang.org/dl/
-golang 1.19.5
+golang 1.20
 # https://github.com/mozilla/sops/releases
 sops 3.7.3
 # https://github.com/kubernetes-sigs/kustomize/releases
-kustomize 4.5.7
+kustomize 5.0.0
 # https://github.com/rancher/k3d/releases
-k3d 5.4.6
+k3d 5.4.7
 # https://github.com/kubernetes/kubernetes/releases
 kubectl 1.26.1
 # https://github.com/helm/helm/releases
-helm 3.11.0
+helm 3.11.1
 # https://github.com/norwoodj/helm-docs/releases
 helm-docs 1.11.0
 # https://github.com/instrumenta/kubeval/releases
 kubeval v0.16.1
 # https://github.com/git-chglog/git-chglog/releases
-git-chglog 0.15.2
+git-chglog 0.15.3

Dockerfile

@@ -2,7 +2,7 @@
 # Build the manager binary
 # https://www.debian.org/releases/
 # https://hub.docker.com/_/golang/tags?page=1&name=bullseye
-FROM golang:1.19.5-bullseye as builder
+FROM golang:1.20.0-bullseye as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -22,7 +22,7 @@ RUN CGO_ENABLED=0 GO111MODULE=on go build -a -o manager main.go
 
 # https://wiki.ubuntu.com/Releases
 # https://hub.docker.com/_/ubuntu/tags?page=1&name=jammy
-FROM ubuntu:jammy-20221130
+FROM ubuntu:jammy-20230126
 
 RUN apt-get -y update \
       && apt-get -y upgrade \

Makefile

@@ -1,19 +1,19 @@
 # UPDATE_HERE
 GO := GOPROXY=https://proxy.golang.org go
-SOPS_SEC_OPERATOR_VERSION := 0.7.1
+SOPS_SEC_OPERATOR_VERSION := 0.7.2
 
 # https://github.com/kubernetes-sigs/controller-tools/releases
-CONTROLLER_GEN_VERSION := "v0.11.1"
+CONTROLLER_GEN_VERSION := "v0.11.3"
 # https://github.com/kubernetes-sigs/controller-runtime/releases
-CONTROLLER_RUNTIME_VERSION := "v0.14.1"
+CONTROLLER_RUNTIME_VERSION := "v0.14.4"
 # https://github.com/kubernetes-sigs/kustomize/releases
-KUSTOMIZE_VERSION := "v4.5.7"
+KUSTOMIZE_VERSION := "v5.0.0"
 # use `setup-envtest list` to obtain the list of available versions
 # until fixed, can't use newer version, see:
 #   https://github.com/kubernetes-sigs/controller-runtime/issues/1571
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 # https://storage.googleapis.com/kubebuilder-tools
-ENVTEST_K8S_VERSION := "1.26.0"
+ENVTEST_K8S_VERSION := "1.26.1"
 
 # Use existing cluster instead of starting processes
 USE_EXISTING_CLUSTER ?= true
@@ -222,7 +222,7 @@ controller-gen: ## Download controller-gen locally if necessary.
 KUSTOMIZE = $(shell pwd)/bin/kustomize
 .PHONY: kustomize
 kustomize: ## Download kustomize locally if necessary.
-	$(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v4@${KUSTOMIZE_VERSION})
+	$(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v5@${KUSTOMIZE_VERSION})
 
 ENVTEST = $(shell pwd)/bin/setup-envtest
 .PHONY: envtest

README.md

@@ -23,7 +23,7 @@ encrypted files stored in `git` repository.
 
 | Kubernetes | Sops | Chart | Operator |
 |---|---|---|---|
-| v1.26.x | v3.7.3 | 0.13.1 | 0.7.1 |
+| v1.26.x | v3.7.3 | 0.13.2 | 0.7.2 |
 | v1.25.x | v3.7.3 | 0.12.5 | 0.6.4 |
 | v1.24.x | v3.7.3 | 0.11.3 | 0.5.3 |
 | v1.23.x | v3.7.2 | 0.10.8 | 0.4.8 |
@@ -79,7 +79,7 @@ References:
 
 ## PGP
 
-For instructions on howto configure PGP keys for operator, see [Preparing GPG keys](docs/gpg/README.md)
+For instructions on how-to configure PGP keys for operator, see [Preparing GPG keys](docs/gpg/README.md)
 
 Then install operator:
 
@@ -211,7 +211,7 @@ sops --encrypt \
   > jenkins-secrets.enc.yaml
 ```
 
-> **NOTE:** after using regex `sops --encrypted-regex` resulting file may be unapplicable to the kubernetes cluster, use
+> **NOTE:** after using regex `sops --encrypted-regex` resulting file may be inapplicable to the kubernetes cluster, use
   this feature with care
 
 * Encrypt file using `sops` and GCP KMS key:
@@ -257,7 +257,7 @@ metadata:
     "sopssecret/managed": "true"
 ...
 ```
-> previously unmanaged secret will be replaced by `SopsSecret` owned at the next rescheduled
+> previously not managed secret will be replaced by `SopsSecret` owned at the next rescheduled
   reconciliation event.
 
 ## Example procedure to upgrade from one `SopsSecret` API version to another
@@ -289,21 +289,23 @@ Projects and tools inspired development of `sops-secrets-operator`:
 
 * [sops](https://github.com/mozilla/sops)
   * [Configuring AWS KMS for use with sops](https://github.com/mozilla/sops#26assuming-roles-and-using-kms-in-various-aws-accounts)
-  * [helm secrets plugin](https://github.com/futuresimple/helm-secrets)
-* [kiam](https://github.com/uswitch/kiam)
+  * [helm secrets plugin](https://github.com/jkroepke/helm-secrets)
+* [kiam](https://github.com/uswitch/kiam) - in maintenance mode now
 * [kube2iam](https://github.com/jtblin/kube2iam)
 * [Weaveworks Flux GitOps CD](https://fluxcd.io/) - flux supports `sops` out of the box
   * [Flux github repositories](https://github.com/fluxcd)
+  * [Flux sops native integration documentation](https://fluxcd.io/flux/guides/mozilla-sops/)
 * [Jenkins Configuration as Code](https://jenkins.io/projects/jcasc/)
   * [Jenkins - Kubernetes Credentials Provider](https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/)
   * [Jenkins Kubernetes Plugin](https://github.com/jenkinsci/kubernetes-plugin)
 * [Bitnami SealedSecrets](https://github.com/bitnami-labs/sealed-secrets)
+  * [Using sealed secrets with Flux](https://fluxcd.io/flux/guides/sealed-secrets/)
 * [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder)
   * [operator-sdk](https://github.com/operator-framework/operator-sdk)
 
 ## Similar tools
 
-* [Kubernetes external secrets](https://github.com/godaddy/kubernetes-external-secrets)
+* [Kubernetes external secrets](https://github.com/external-secrets/external-secrets)
 * [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
 * [Secrets Store CSI driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver)
 * [Kamus](https://kamus.soluto.io/)

chart/helm3/sops-secrets-operator/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 # UPDATE_HERE
-version: 0.13.1
-appVersion: 0.7.1
+version: 0.13.2
+appVersion: 0.7.2
 type: application
 description: Helm chart deploys sops-secrets-operator
 name: sops-secrets-operator

chart/helm3/sops-secrets-operator/Makefile

@@ -38,7 +38,7 @@ echo: ## prints chart information
 
 .PHONY: test
 test: ## runs unittests
-	helm unittest --helm3 --color .
+	helm unittest --color .
 	@echo '--------------------'
 
 .PHONY: lint

chart/helm3/sops-secrets-operator/README.md

@@ -134,11 +134,11 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | healthProbes.readiness | object | `{"initialDelaySeconds":5,"periodSeconds":10}` | Readiness probe configuration |
 | image.pullPolicy | string | `"Always"` | Operator image pull policy |
 | image.repository | string | `"isindir/sops-secrets-operator"` | Operator image name |
-| image.tag | string | `"0.7.1"` | Operator image tag |
+| image.tag | string | `"0.7.2"` | Operator image tag |
 | imagePullSecrets | list | `[]` | Secrets to pull image from private docker repository |
 | initImage.pullPolicy | string | `"Always"` | Init container image pull policy |
 | initImage.repository | string | `"ubuntu"` | Init container image name |
-| initImage.tag | string | `"jammy-20221130"` | Init container image tag |
+| initImage.tag | string | `"jammy-20230126"` | Init container image tag |
 | kubeconfig | object | `{"enabled":false,"path":null}` | Paths to a kubeconfig. Only required if out-of-cluster. |
 | logging | object | `{"encoder":"json","level":"info","stacktraceLevel":"error"}` | Logging configuration section suggested values Development Mode (encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode (encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default) |
 | logging.encoder | string | `"json"` | Zap log encoding (one of 'json' or 'console') |

chart/helm3/sops-secrets-operator/tests/operator_test.yaml

@@ -31,8 +31,8 @@ tests:
             app.kubernetes.io/instance: sops
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: sops-secrets-operator
-            app.kubernetes.io/version: 0.7.1
-            helm.sh/chart: sops-secrets-operator-0.13.1
+            app.kubernetes.io/version: 0.7.2
+            helm.sh/chart: sops-secrets-operator-0.13.2
 
   # custom name
   - it: should correctly render custome name
@@ -81,7 +81,6 @@ tests:
 
   # pod annotations
   - it: pod annotations should not be empty by default
-    asserts:
     asserts:
       - equal:
           path: spec.template.metadata.annotations
@@ -104,7 +103,7 @@ tests:
   # image pull secrets
   - it: imagePullSecrets should be empty by default
     asserts:
-      - isEmpty:
+      - isNull:
           path: spec.template.spec.imagePullSecrets
 
   - it: should correctly render imagePullSecrets
@@ -147,7 +146,7 @@ tests:
   # GPG init container
   - it: should not create GPG init container by default
     asserts:
-      - isEmpty:
+      - isNull:
           path: spec.template.spec.initContainers
 
   - it: should create GPG init container if enabled
@@ -171,7 +170,7 @@ tests:
       # UPDATE_HERE
       - equal:
           path: spec.template.spec.containers[0].image
-          value: isindir/sops-secrets-operator:0.7.1
+          value: isindir/sops-secrets-operator:0.7.2
       - equal:
           path: spec.template.spec.containers[0].imagePullPolicy
           value: Always
@@ -199,7 +198,7 @@ tests:
       - equal:
           path: spec.template.spec.initContainers[0].image
           # UPDATE_HERE
-          value: ubuntu:jammy-20221130
+          value: ubuntu:jammy-20230126
       - equal:
           path: spec.template.spec.initContainers[0].imagePullPolicy
           value: Always
@@ -223,7 +222,7 @@ tests:
   # container volume mounts
   - it: should render empty set of volume mounts by default
     asserts:
-      - isEmpty:
+      - isNull:
           path: spec.template.spec.containers[0].volumeMounts
 
   - it: should render gcp volume mount if enabled
@@ -437,7 +436,7 @@ tests:
   # pod volumes
   - it: should not render pod volumes by default
     asserts:
-      - isEmpty:
+      - isNull:
           path: spec.template.spec.volumes
 
   # GCP volumes

chart/helm3/sops-secrets-operator/values.yaml

@@ -13,7 +13,7 @@ image:
   # -- Operator image name
   repository: isindir/sops-secrets-operator
   # -- Operator image tag
-  tag: 0.7.1
+  tag: 0.7.2
   # -- Operator image pull policy
   pullPolicy: Always
 
@@ -22,7 +22,7 @@ initImage:
   # -- Init container image name
   repository: ubuntu
   # -- Init container image tag
-  tag: jammy-20221130
+  tag: jammy-20230126
   # -- Init container image pull policy
   pullPolicy: Always
 

config/crd/bases/isindir.github.com_sopssecrets.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.11.3
   creationTimestamp: null
   name: sopssecrets.isindir.github.com
 spec: