From d7ca1a5da2e822e072b0e1b8b04491e9979d48b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A1s=20J=C3=A1ky?= Date: Wed, 25 Oct 2023 16:11:09 +0200 Subject: [PATCH 1/5] docs: added Helm chart readme and generation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: András Jáky Signed-off-by: András Jáky docs: improved README Signed-off-by: András Jáky Signed-off-by: András Jáky Signed-off-by: András Jáky Signed-off-by: András Jáky --- Makefile | 13 ++- README.md | 29 +++++- .../charts/vault-secrets-reloader/Chart.yaml | 39 ++++---- .../charts/vault-secrets-reloader/README.md | 97 +++++++++++++++++++ .../vault-secrets-reloader/README.md.gotmpl | 68 +++++++++++++ .../charts/vault-secrets-reloader/values.yaml | 60 +++++++++--- e2e/deploy/vault/vault.yaml | 3 +- 7 files changed, 266 insertions(+), 43 deletions(-) create mode 100644 deploy/charts/vault-secrets-reloader/README.md create mode 100644 deploy/charts/vault-secrets-reloader/README.md.gotmpl diff --git a/Makefile b/Makefile index e577c13..9af39d5 100644 --- a/Makefile +++ b/Makefile @@ -87,7 +87,6 @@ up: ## Start kind development environment --set podsFailurePolicy=Fail \ --set vaultEnv.tag=latest \ --namespace bank-vaults-infra - kind load docker-image ghcr.io/bank-vaults/vault-secrets-reloader:dev --name $(TEST_KIND_CLUSTER) .PHONY: down down: ## Destroy kind development environment @@ -124,7 +123,17 @@ generate: gen-helm-docs ## Generate manifests, code, and docs resources ##@ Deployment .PHONY: deploy -deploy: ## Deploy manager resources to the K8s cluster +deploy: ## Deploy Reloader controller resources to the K8s cluster + kubectl create namespace bank-vaults-infra --dry-run=client -o yaml | kubectl apply -f - + $(HELM) upgrade --install vault-secrets-reloader deploy/charts/vault-secrets-reloader \ + --set image.tag=dev \ + --set collectorSyncPeriod=30s \ + --set reloaderRunPeriod=1m \ + --namespace bank-vaults-infra + +.PHONY: deploy-kind +deploy-kind: ## Deploy Reloder controller resources to the kind cluster + kind load docker-image $(IMG) --name $(TEST_KIND_CLUSTER) kubectl create namespace bank-vaults-infra --dry-run=client -o yaml | kubectl apply -f - $(HELM) upgrade --install vault-secrets-reloader deploy/charts/vault-secrets-reloader \ --set image.tag=dev \ diff --git a/README.md b/README.md index e1d8de3..bc0506c 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,31 @@ are supported yet. - Data collected by the `reloader` is only stored in-memory (secret version updates during the controller is being recreated will not be acted upon, as it will rebuild its data store from scratch on start). +## Configuration + +Reloader needs to access the Vault instance on its own, so make sure you set the correct environment variables through +the Helm chart (you can check the list of environmental variables accepted for creating a Vault client +[here](https://developer.hashicorp.com/vault/docs/commands#environment-variables)). Furthermore, configure the workload +data collection and reloading periods (using Go Duration format) that work best for your requirements and use-cases. For +example: + +```shell +helm upgrade --install vault-secrets-reloader oci://ghcr.io/bank-vaults/vault-secrets-reloader \ + --set collectorSyncPeriod=2h \ + --set reloaderRunPeriod=4h \ + --set env.VAULT_ADDR=[URL for Vault] + --set env.VAULT_PATH=[Auth path] + --set env.VAULT_ROLE=[Auth role] + --set env.VAULT_AUTH_METHOD=[Auth method] + # other environmental variables needed for the auth method of your choice + --namespace bank-vaults-infra --create-namespace +``` + +Vault also needs to be configured with an auth method for the Reloader to use. Additionally, it is advised to create a +role and policy that allows the Reloader to `read` and `list` secrets from Vault. An example can be found in the +[example Bank-Vaults Operator CR +file](https://github.com/bank-vaults/vault-secrets-reloader/blob/main/e2e/deploy/vault/vault.yaml#L102). + ## Trying out Vault Secrets Reloader locally Make sure Docker is installed with Compose and Buildx. @@ -74,10 +99,10 @@ make up make container-image # deploy Vault Secrets Reloader -make deploy +make deploy-kind ``` -The last command will install the Reloader Helm chart with the following settings: +The last command will install the Reloader Helm chart with the following configuration: ```shell helm upgrade --install vault-secrets-reloader deploy/charts/vault-secrets-reloader \ diff --git a/deploy/charts/vault-secrets-reloader/Chart.yaml b/deploy/charts/vault-secrets-reloader/Chart.yaml index 853b95a..ad795b1 100644 --- a/deploy/charts/vault-secrets-reloader/Chart.yaml +++ b/deploy/charts/vault-secrets-reloader/Chart.yaml @@ -1,24 +1,19 @@ apiVersion: v2 -name: vault-secrets-reloader -description: A Kubernetes Controller that reloads workloads on a referenced secret change in HashiCorp Vault - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.1.0" +name: vault-secrets-reloader +version: 0.0.0 +appVersion: latest +description: A Kubernetes Controller that reloads workloads on a referenced secret change in HashiCorp Vault. +keywords: + - vault + - hashicorp + - secret + - webhook + - reloader +home: https://bank-vaults.dev +sources: + - https://github.com/hashicorp/vault + - https://github.com/bank-vaults/vault-secrets-reloader +maintainers: + - name: Bank Vaults Maintainers + email: team@bank-vaults.dev diff --git a/deploy/charts/vault-secrets-reloader/README.md b/deploy/charts/vault-secrets-reloader/README.md new file mode 100644 index 0000000..2cfcb8a --- /dev/null +++ b/deploy/charts/vault-secrets-reloader/README.md @@ -0,0 +1,97 @@ +# vault-secrets-reloader + +This chart will install Vault Secrets Reloader Controller, that reloads workloads on a referenced secret change in HashiCorp Vault. + +Reloader will collect (unversioned) secrets injected by the Webhook from watched workloads, periodically checks if their version has been updated in Vault and if so, "reloads" the workload with an annotation update, triggering a new rollout so the Webhook can inject the new version of the secret into the pod. + +## Before you start + +Reloader works in conjunction with the [Vault Secrets Webhook](https://github.com/bank-vaults/vault-secrets-webhook), therefore the prerequisites to start using it would be a Hashicorp Vault instance, and a working Webhook. + +You will need to add the following annotations to the pod template spec of the workloads (i.e. Deployments, DaemonSets and StatefulSets) that you wish to reload: + +```yaml +alpha.vault.security.banzaicloud.io/reload-on-secret-change: "true" +``` + +## Installing the Chart + +**Prepare Kubernetes namespace** + +You can prepare a separate namespace for Vault Secrets Reloader beforehand, create it automatically if not yet exist with appending `--create-namespace` to the installation Helm command, or just use the one already created for Vault Secrets Webhook. + +**Install the chart** + +```shell +helm upgrade --install vault-secrets-reloader oci://ghcr.io/bank-vaults/vault-secrets-reloader --namespace bank-vaults-infra --create-namespace +``` + +## Values + +The following table lists the configurable parameters of the Helm chart. + +| Parameter | Type | Default | Description | +| --- | ---- | ------- | ----------- | +| `affinity` | object | `{}` | Node affinity settings for the pods. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ | +| `autoscaling.enabled` | bool | `false` | Enable Reloader horizontal pod autoscaling | +| `autoscaling.maxReplicas` | int | `100` | Maximum number of replicas | +| `autoscaling.minReplicas` | int | `1` | Minimum number of replicas | +| `collectorSyncPeriod` | string | `"30m"` | Time interval for the collector worker to run in Go Duration format | +| `env` | object | `{"VAULT_ADDR":"https://vault.default.svc.cluster.local:8200","VAULT_ROLE":"reloader","VAULT_TLS_SECRET":"vault-tls","VAULT_TLS_SECRET_NS":"bank-vaults-infra"}` | Custom environment variables available to Reloader Define environment variables for Vault authentication here | +| `fullnameOverride` | string | `""` | Override app full name | +| `image.pullPolicy` | string | `"IfNotPresent"` | Container image pull policy | +| `image.repository` | string | `"ghcr.io/bank-vaults/vault-secrets-reloader"` | Container image repo that contains the Reloader Controller | +| `image.tag` | string | `""` | Container image tag | +| `imagePullSecrets` | list | `[]` | Container image pull secrets for private repositories | +| `ingress.annotations` | object | `{}` | Reloader ingress annotations | +| `ingress.className` | string | `""` | Reloader IngressClass name | +| `ingress.enabled` | bool | `false` | Enable Reloader ingress | +| `ingress.hosts` | list | `[{"host":"chart-example.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}]` | Reloader ingress hosts | +| `ingress.tls` | list | `[]` | Reloader ingress tls | +| `logLevel` | string | `"info"` | Log level | +| `nameOverride` | string | `""` | Override app name | +| `nodeSelector` | object | `{}` | Node labels for pod assignment. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | +| `podAnnotations` | object | `{}` | Extra annotations to add to pod metadata | +| `podSecurityContext` | object | `{}` | Pod security context for Reloader deployment | +| `reloaderRunPeriod` | string | `"1h"` | Time interval for the reloader worker to run in Go Duration format | +| `replicaCount` | int | `1` | Number of replicas | +| `resources` | object | `{}` | Resources to request for the deployment and pods | +| `securityContext` | object | `{}` | Pod security context for Reloader containers | +| `service.annotations` | object | `{}` | Reloader service annotations, e.g. if type is AWS LoadBalancer and you want to add security groups | +| `service.externalPort` | int | `443` | Reloader service external port | +| `service.internalPort` | int | `8443` | Reloader service internal port | +| `service.name` | string | `"vault-secrets-reloader"` | Reloader service name | +| `service.type` | string | `"ClusterIP"` | Reloader service type | +| `serviceAccount.annotations` | object | `{}` | Annotations to add to the service account | +| `serviceAccount.create` | bool | `true` | Specifies whether a service account should be created | +| `serviceAccount.name` | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| `tolerations` | list | `[]` | List of node tolerations for the pods. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | +| `volumeMounts` | list | `[]` | Extra volume mounts for Reloader deployment | +| `volumes` | list | `[]` | Extra volume definitions for Reloader deployment | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +### Time periods + +Configure the time for periodic runs of the `collector` and `reloader` workers with a value in Go Duration format: + +```yaml +collectorSyncPeriod: 30m +reloaderRunPeriod: 1h +``` + +### Vault credentials + + Reloader needs to be supplied with Vault credentials to be able to connect to Vault in order to get the secrets. You can check the list of environmental variables accepted for creating a Vault client [here](https://developer.hashicorp.com/vault/docs/commands#environment-variables). For example: + +```yaml +env: + # define env vars for Vault used for authentication + VAULT_ROLE: "reloader" + VAULT_ADDR: "https://vault.default.svc.cluster.local:8200" + VAULT_NAMESPACE: "default" + VAULT_TLS_SECRET: "vault-tls" + VAULT_TLS_SECRET_NS: "bank-vaults-infra" +``` + +In addition to that, make sure to add the `read` and `list` capabilities for secrets to the Vault auth role the Reloader will use. An example can be found in the [example Bank-Vaults Operator CR file](https://github.com/bank-vaults/vault-secrets-reloader/blob/main/e2e/deploy/vault/vault.yaml#L102). diff --git a/deploy/charts/vault-secrets-reloader/README.md.gotmpl b/deploy/charts/vault-secrets-reloader/README.md.gotmpl new file mode 100644 index 0000000..7f572bf --- /dev/null +++ b/deploy/charts/vault-secrets-reloader/README.md.gotmpl @@ -0,0 +1,68 @@ +{{ template "chart.header" . }} + +This chart will install Vault Secrets Reloader Controller, that reloads workloads on a referenced secret change in HashiCorp Vault. + +Reloader will collect (unversioned) secrets injected by the Webhook from watched workloads, periodically checks if their version has been updated in Vault and if so, "reloads" the workload with an annotation update, triggering a new rollout so the Webhook can inject the new version of the secret into the pod. + +## Before you start + +Reloader works in conjunction with the [Vault Secrets Webhook](https://github.com/bank-vaults/vault-secrets-webhook), therefore the prerequisites to start using it would be a Hashicorp Vault instance, and a working Webhook. + +You will need to add the following annotations to the pod template spec of the workloads (i.e. Deployments, DaemonSets and StatefulSets) that you wish to reload: + +```yaml +alpha.vault.security.banzaicloud.io/reload-on-secret-change: "true" +``` + +## Installing the Chart + +**Prepare Kubernetes namespace** + +You can prepare a separate namespace for Vault Secrets Reloader beforehand, create it automatically if not yet exist with appending `--create-namespace` to the installation Helm command, or just use the one already created for Vault Secrets Webhook. + +**Install the chart** + +```shell +helm upgrade --install vault-secrets-reloader oci://ghcr.io/bank-vaults/vault-secrets-reloader --namespace bank-vaults-infra --create-namespace +``` + +{{ define "chart.valuesTableHtml" }} + +The following table lists the configurable parameters of the Helm chart. + +| Parameter | Type | Default | Description | +| --- | ---- | ------- | ----------- | +{{- range .Values }} +| `{{ .Key }}` | {{ .Type }} | {{ .Default }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +{{ end }} + +{{ template "chart.valuesSectionHtml" . }} + +### Time periods + +Configure the time for periodic runs of the `collector` and `reloader` workers with a value in Go Duration format: + +```yaml +collectorSyncPeriod: 30m +reloaderRunPeriod: 1h +``` + +### Vault credentials + + Reloader needs to be supplied with Vault credentials to be able to connect to Vault in order to get the secrets. You can check the list of environmental variables accepted for creating a Vault client [here](https://developer.hashicorp.com/vault/docs/commands#environment-variables). For example: + +```yaml +env: + # define env vars for Vault used for authentication + VAULT_ROLE: "reloader" + VAULT_ADDR: "https://vault.default.svc.cluster.local:8200" + VAULT_NAMESPACE: "default" + VAULT_TLS_SECRET: "vault-tls" + VAULT_TLS_SECRET_NS: "bank-vaults-infra" +``` + +In addition to that, make sure to add the `read` and `list` capabilities for secrets to the Vault auth role the Reloader will use. An example can be found in the [example Bank-Vaults Operator CR file](https://github.com/bank-vaults/vault-secrets-reloader/blob/main/e2e/deploy/vault/vault.yaml#L102). diff --git a/deploy/charts/vault-secrets-reloader/values.yaml b/deploy/charts/vault-secrets-reloader/values.yaml index d506fa6..ab60b92 100644 --- a/deploy/charts/vault-secrets-reloader/values.yaml +++ b/deploy/charts/vault-secrets-reloader/values.yaml @@ -2,37 +2,50 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# -- Number of replicas replicaCount: 1 +# -- Log level logLevel: info image: + # -- Container image repo that contains the Reloader Controller repository: ghcr.io/bank-vaults/vault-secrets-reloader - pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. + # -- Container image tag tag: "" + # -- Container image pull policy + pullPolicy: IfNotPresent +# -- Container image pull secrets for private repositories imagePullSecrets: [] +# -- Override app name nameOverride: "" +# -- Override app full name fullnameOverride: "" -collectorSyncPeriod: 2h -reloaderRunPeriod: 8h +# -- Time interval for the collector worker to run in Go Duration format +collectorSyncPeriod: 30m +# -- Time interval for the reloader worker to run in Go Duration format +reloaderRunPeriod: 1h serviceAccount: - # Specifies whether a service account should be created + # -- Specifies whether a service account should be created create: true - # Annotations to add to the service account + # -- Annotations to add to the service account annotations: {} - # The name of the service account to use. + # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" +# -- Extra annotations to add to pod metadata podAnnotations: {} +# -- Pod security context for Reloader deployment podSecurityContext: {} # fsGroup: 2000 +# -- Pod security context for Reloader containers securityContext: {} # capabilities: # drop: @@ -42,59 +55,65 @@ securityContext: {} # runAsUser: 1000 service: + # -- Reloader service name name: vault-secrets-reloader + # -- Reloader service type type: ClusterIP + # -- Reloader service external port externalPort: 443 + # -- Reloader service internal port internalPort: 8443 + # -- Reloader service annotations, e.g. if type is AWS LoadBalancer and you want to add security groups annotations: {} - # Annotate service - # This can be used for example if type is AWS LoadBalancer and you want to add security groups ingress: + # -- Enable Reloader ingress enabled: false + # -- Reloader IngressClass name className: "" + # -- Reloader ingress annotations annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" + # -- Reloader ingress hosts hosts: - host: chart-example.local paths: - path: / pathType: ImplementationSpecific + # -- Reloader ingress tls tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local +# -- Custom environment variables available to Reloader +# Define environment variables for Vault authentication here env: - # define env vars for Vault used for authentication VAULT_ROLE: "reloader" VAULT_ADDR: "https://vault.default.svc.cluster.local:8200" # VAULT_NAMESPACE: "default" VAULT_TLS_SECRET: "vault-tls" VAULT_TLS_SECRET_NS: "bank-vaults-infra" # VAULT_SKIP_VERIFY: "false" - # VAULT_ROLE: "default" # VAULT_AUTH_METHOD: "kubernetes" # VAULT_PATH: "kubernetes" # VAULT_CLIENT_TIMEOUT: "10s" # VAULT_IGNORE_MISSING_SECRETS: "false" +# -- Extra volume definitions for Reloader deployment volumes: [] # - name: vault-tls # secret: # secretName: vault-tls +# -- Extra volume mounts for Reloader deployment volumeMounts: [] # - name: vault-tls # mountPath: /vault/tls +# -- Resources to request for the deployment and pods resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: # cpu: 100m # memory: 128Mi # requests: @@ -102,14 +121,23 @@ resources: {} # memory: 128Mi autoscaling: + # -- Enable Reloader horizontal pod autoscaling enabled: false + # -- Minimum number of replicas minReplicas: 1 + # -- Maximum number of replicas maxReplicas: 100 - targetCPUUtilizationPercentage: 80 + # targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 +# -- Node labels for pod assignment. +# Check: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector nodeSelector: {} +# -- List of node tolerations for the pods. +# Check: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] +# -- Node affinity settings for the pods. +# Check: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ affinity: {} diff --git a/e2e/deploy/vault/vault.yaml b/e2e/deploy/vault/vault.yaml index 42dace2..6d2ce14 100644 --- a/e2e/deploy/vault/vault.yaml +++ b/e2e/deploy/vault/vault.yaml @@ -105,6 +105,7 @@ spec: rules: path "secret/*" { capabilities = ["create", "read", "update", "delete", "list"] } + # define a new policy for the Reloader - name: read_secrets rules: path "secret/*" { capabilities = ["read", "list"] @@ -135,7 +136,7 @@ spec: - name: reloader bound_service_account_names: ["vault-secrets-reloader"] bound_service_account_namespaces: ["bank-vaults-infra"] - policies: ["read_secrets"] + policies: ["read_secrets"] # use the read_secrets policy in the reloader role ttl: 1h secrets: From 1b221a58983794866414e5aaf0c3f07aaaa73f1a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A1s=20J=C3=A1ky?= Date: Wed, 25 Oct 2023 16:13:27 +0200 Subject: [PATCH 2/5] ci(GHA): added running pre-commit hooks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: András Jáky --- .github/workflows/ci.yaml | 6 ++++++ .hadolint.yaml | 1 + Makefile | 2 +- flake.nix | 7 +++++++ 4 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 .hadolint.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b6a3ee7..ece110e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -108,6 +108,12 @@ jobs: - name: Lint run: nix develop --impure .#ci -c make lint -j + - name: Pre-commit hooks + run: nix develop --impure .#ci -c pre-commit run -a + + - name: Check commit messages + run: nix develop --impure .#ci -c pre-commit run --hook-stage manual + license-check: name: License check runs-on: ubuntu-latest diff --git a/.hadolint.yaml b/.hadolint.yaml new file mode 100644 index 0000000..f8cbb9d --- /dev/null +++ b/.hadolint.yaml @@ -0,0 +1 @@ +failure-threshold: error diff --git a/Makefile b/Makefile index 9af39d5..24917fb 100644 --- a/Makefile +++ b/Makefile @@ -43,7 +43,7 @@ lint-helm: # Run helm lint check .PHONY: lint-docker lint-docker: # Run Dockerfile lint check - $(HADOLINT) --failure-threshold error Dockerfile + $(HADOLINT) Dockerfile .PHONY: lint lint: lint-go lint-helm lint-docker ## Run lint checks diff --git a/flake.nix b/flake.nix index 1358617..566ad04 100644 --- a/flake.nix +++ b/flake.nix @@ -32,6 +32,13 @@ nixpkgs-fmt.enable = true; yamllint.enable = true; hadolint.enable = true; + helm-docs = { + enable = true; + name = "helm-docs"; + description = "Uses 'helm-docs' to create documentation from the Helm chart's 'values.yaml' file, and inserts the result into a corresponding 'README.md' file."; + files = ""; + entry = "${pkgs.helm-docs}/bin/helm-docs"; + }; }; packages = with pkgs; [ From e14c0d9e6642c5458d58ba102e60a6bfdda3a1aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A1s=20J=C3=A1ky?= Date: Wed, 25 Oct 2023 16:13:38 +0200 Subject: [PATCH 3/5] ci: added renovate config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: András Jáky --- .github/renovate.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .github/renovate.json diff --git a/.github/renovate.json b/.github/renovate.json new file mode 100644 index 0000000..6edfd4f --- /dev/null +++ b/.github/renovate.json @@ -0,0 +1,16 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "schedule:earlyMondays", + ":disableDependencyDashboard" + ], + "enabledManagers": [ + "nix" + ], + "nix": { + "enabled": true + }, + "lockFileMaintenance": { + "enabled": true + } +} From 7fe23e8e31a5badb2e936a73be8420faf0cef976 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A1s=20J=C3=A1ky?= Date: Wed, 25 Oct 2023 16:20:56 +0200 Subject: [PATCH 4/5] chore: added pull request template MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: András Jáky --- .github/PULL_REQUEST_TEMPLATE.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/PULL_REQUEST_TEMPLATE.md diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..8f72e9c --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,21 @@ + + +## Overview + + + +Fixes #(issue) + +## Notes for reviewer + + From 437884bbbff41e33025dfd527444b5384f8d0b6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A1s=20J=C3=A1ky?= Date: Thu, 2 Nov 2023 13:38:57 +0100 Subject: [PATCH 5/5] chore: Makefile improvements MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: András Jáky --- Makefile | 55 ++++++++++++++++++++++++++++++------------------------- 1 file changed, 30 insertions(+), 25 deletions(-) diff --git a/Makefile b/Makefile index 24917fb..f7eb2ad 100644 --- a/Makefile +++ b/Makefile @@ -73,14 +73,14 @@ run: ## Run manager from your host up: ## Start kind development environment $(KIND) create cluster --name $(TEST_KIND_CLUSTER) sleep 10 - helm upgrade --install vault-operator oci://ghcr.io/bank-vaults/helm-charts/vault-operator \ + $(HELM) upgrade --install vault-operator oci://ghcr.io/bank-vaults/helm-charts/vault-operator \ --set image.tag=latest \ --set image.bankVaultsTag=latest \ --wait - kubectl create namespace bank-vaults-infra --dry-run=client -o yaml | kubectl apply -f - - kubectl apply -f $(shell pwd)/e2e/deploy/vault/ + $(KUBECTL) create namespace bank-vaults-infra --dry-run=client -o yaml | $(KUBECTL) apply -f - + $(KUBECTL) apply -f $(shell pwd)/e2e/deploy/vault/ sleep 60 - helm upgrade --install vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook \ + $(HELM) upgrade --install vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook \ --set replicaCount=1 \ --set image.tag=latest \ --set image.pullPolicy=IfNotPresent \ @@ -124,22 +124,19 @@ generate: gen-helm-docs ## Generate manifests, code, and docs resources .PHONY: deploy deploy: ## Deploy Reloader controller resources to the K8s cluster - kubectl create namespace bank-vaults-infra --dry-run=client -o yaml | kubectl apply -f - + $(KUBECTL) create namespace bank-vaults-infra --dry-run=client -o yaml | $(KUBECTL) apply -f - $(HELM) upgrade --install vault-secrets-reloader deploy/charts/vault-secrets-reloader \ --set image.tag=dev \ --set collectorSyncPeriod=30s \ --set reloaderRunPeriod=1m \ --namespace bank-vaults-infra +.PHONY: upload-kind +upload-kind: + $(KIND) load docker-image $(IMG) --name $(TEST_KIND_CLUSTER) ## Load docker image to kind cluster + .PHONY: deploy-kind -deploy-kind: ## Deploy Reloder controller resources to the kind cluster - kind load docker-image $(IMG) --name $(TEST_KIND_CLUSTER) - kubectl create namespace bank-vaults-infra --dry-run=client -o yaml | kubectl apply -f - - $(HELM) upgrade --install vault-secrets-reloader deploy/charts/vault-secrets-reloader \ - --set image.tag=dev \ - --set collectorSyncPeriod=30s \ - --set reloaderRunPeriod=1m \ - --namespace bank-vaults-infra +deploy-kind: upload-kind deploy ## Deploy Reloder controller resources to the kind cluster .PHONY: undeploy undeploy: ## Clean manager resources from the K8s cluster. @@ -151,6 +148,7 @@ undeploy: ## Clean manager resources from the K8s cluster. GOLANGCI_VERSION = 1.53.3 LICENSEI_VERSION = 0.8.0 KIND_VERSION = 0.20.0 +KUBECTL_VERSION = 1.28.3 HELM_DOCS_VERSION = 1.11.0 ## Location to install dependencies to @@ -166,17 +164,6 @@ GOLANGCI_LINT ?= $(or $(shell which golangci-lint),$(LOCALBIN)/golangci-lint) $(GOLANGCI_LINT): $(LOCALBIN) test -s $(LOCALBIN)/golangci-lint || curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- v${GOLANGCI_VERSION} -LICENSEI ?= $(or $(shell which licensei),$(LOCALBIN)/licensei) -$(LICENSEI): $(LOCALBIN) - test -s $(LOCALBIN)/licensei || curl -sfL https://raw.githubusercontent.com/goph/licensei/master/install.sh | bash -s -- v${LICENSEI_VERSION} - -KIND ?= $(or $(shell which kind),$(LOCALBIN)/kind) -$(KIND): $(LOCALBIN) - @if [ ! -s "$(LOCALBIN)/kind" ]; then \ - curl -Lo $(LOCALBIN)/kind https://kind.sigs.k8s.io/dl/v${KIND_VERSION}/kind-$(shell uname -s | tr '[:upper:]' '[:lower:]')-$(shell uname -m | sed -e "s/aarch64/arm64/; s/x86_64/amd64/"); \ - chmod +x $(LOCALBIN)/kind; \ - fi - HELM ?= $(or $(shell which helm),$(LOCALBIN)/helm) $(HELM): $(LOCALBIN) test -s $(LOCALBIN)/helm || curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | USE_SUDO=false HELM_INSTALL_DIR=$(LOCALBIN) bash @@ -188,9 +175,27 @@ $(HELM_DOCS): $(LOCALBIN) chmod +x $(LOCALBIN)/helm-docs; \ fi +KIND ?= $(or $(shell which kind),$(LOCALBIN)/kind) +$(KIND): $(LOCALBIN) + @if [ ! -s "$(LOCALBIN)/kind" ]; then \ + curl -Lo $(LOCALBIN)/kind https://kind.sigs.k8s.io/dl/v${KIND_VERSION}/kind-$(shell uname -s | tr '[:upper:]' '[:lower:]')-$(shell uname -m | sed -e "s/aarch64/arm64/; s/x86_64/amd64/"); \ + chmod +x $(LOCALBIN)/kind; \ + fi + +KUBECTL ?= $(or $(shell which kubectl),$(LOCALBIN)/kubectl) +$(KUBECTL): $(LOCALBIN) + @if [ ! -s "$(LOCALBIN)/kubectl" ]; then \ + curl -Lo $(LOCALBIN)/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/$(shell uname -s | tr '[:upper:]' '[:lower:]')/$(shell uname -m | sed -e "s/aarch64/arm64/; s/x86_64/amd64/")/kubectl; \ + chmod +x $(LOCALBIN)/kubectl; \ + fi + +LICENSEI ?= $(or $(shell which licensei),$(LOCALBIN)/licensei) +$(LICENSEI): $(LOCALBIN) + test -s $(LOCALBIN)/licensei || curl -sfL https://raw.githubusercontent.com/goph/licensei/master/install.sh | bash -s -- v${LICENSEI_VERSION} + # TODO: add support for hadolint and yamllint dependencies HADOLINT ?= hadolint YAMLLINT ?= yamllint .PHONY: deps -deps: $(HELM) $(HELM_DOCS) $(ENVTEST) $(GOLANGCI_LINT) $(LICENSEI) $(KIND) ## Download and install dependencies +deps: $(ENVTEST) $(GOLANGCI_LINT) $(HELM) $(HELM_DOCS) $(KIND) $(KUBECTL) $(LICENSEI) ## Download and install dependencies