v0.1.0

Complete MVP for Helm Chart

.github/workflows/docker.yaml

@@ -1,4 +1,4 @@
-name: docker
+name: Container
 on:
   schedule:
     - cron: '0 10 * * *' # everyday at 10am
@@ -8,6 +8,12 @@ on:
       - 'v*.*.*'
   pull_request:
     branches: master
+    paths:
+      - 'cmd/**'
+      - 'pkg/**'
+      - 'go.mod'
+      - 'go.sum'
+      - 'Dockerfile'
 env:
   IMAGES: ${{ github.repository_owner }}/secret-manager
   PLATFORMS: "linux/amd64,linux/arm64,linux/arm/v7"

.github/workflows/helm.yaml

@@ -0,0 +1,89 @@
+name: Chart
+
+on:
+  push:
+    tags:
+      - '*'
+  pull_request:
+    branches: master
+    paths:
+      - 'deploy/charts/**'
+      - '!deploy/charts/secret-manager/README.md.gotmpl'
+jobs:
+  lint-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout secret-manger
+        uses: actions/checkout@v2
+      - name: Fetch history
+        run: |
+          git fetch --prune --unshallow;
+          echo ::set-env name=commitmsg::$(git log --format=%B -n 1 ${{ github.event.after }})
+      - name: Fix appversion for tests
+        run: |
+          LASTTAG=$(git describe --abbrev=0 --tags)
+          sed -i "s/0.0.0/${LASTTAG#v}/" deploy/charts/secret-manager/Chart.yaml
+      - name: lint
+        id: lint
+        uses: helm/[email protected]
+        if: "! contains(env.commitmsg, '[skip chart-lint]')"
+        with:
+          command: lint
+          config: deploy/charts/ct.yaml
+      - name: Create kind cluster
+        uses: helm/[email protected]
+        if: "steps.lint.outputs.changed == 'true' && ! contains(env.commitmsg, '[skip chart-install]')"
+      - name: test
+        uses: helm/[email protected]
+        if: "steps.lint.outputs.changed == 'true' && ! contains(env.commitmsg, '[skip chart-install]')"
+        with:
+          command: install
+          config: deploy/charts/ct.yaml
+  release:
+    runs-on: ubuntu-latest
+    needs: lint-and-test
+    if: "github.event_name != 'pull_request'"
+    steps:
+      - name: Configure Git
+        run: |
+          git config --global user.name "${{ env.GHCR_USERNAME }}"
+          git config --global user.email "${{ env.GHCR_USERNAME }}@users.noreply.github.com"
+      - name: Checkout secret-manger
+        uses: actions/checkout@v2
+        with:
+          path: secret-manager
+      - name: Checkout Chart Repo
+        uses: actions/checkout@v2
+        with:
+          token: ${{ env.GHCR_PASSWORD }}
+          repository: "itscontained/charts"
+          ref: gh-pages
+          path: charts
+      - name: Install Helm
+        run: |
+          curl -fsSLo get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
+          chmod 700 get_helm.sh
+          ./get_helm.sh
+      - name: Install chart-releaser
+        run: |
+          wget https://github.com/helm/chart-releaser/releases/download/v1.0.0/chart-releaser_1.0.0_linux_amd64.tar.gz
+          tar xzvf chart-releaser_1.0.0_linux_amd64.tar.gz cr
+      - name: Copy CRDs to chart
+        run: |
+          cd secret-manager
+          make crds-to-chart
+      - name: Generate Helm README
+        run: |
+          make helm-docs
+          cd ../
+      - name: Release Chart
+        run: |
+          sed -i 's/0.0.0/${GITHUB_REF#refs/tags/v}/' deploy/charts/secret-manager/Chart.yaml
+          helm package secret-manager/deploy/charts/secret-manager/ --destination .cr-release-packages
+          ./cr upload -t ${GITHUB_PAT} && ./cr index
+          cd charts/ && git add . && git commit -m "release chart" && git push
+        env:
+          CR_CHARTS_REPO: "https://charts.itscontained.io"
+          CR_INDEX_PATH: "charts/index.yaml"
+          CR_OWNER: "itscontained"
+          CR_GIT_REPO: "charts"

.gitignore

@@ -24,5 +24,7 @@ bin
 *.swo
 *~
 
+deploy/charts/secret-manager/README.md
+
 # generated CRDs
-deploy/charts/secret-manager/templates/crds/*.yaml
+deploy/charts/secret-manager/templates/crds/*.yaml

Makefile

@@ -81,10 +81,13 @@ docker-build-kind-deploy: docker-build crds-to-chart ## copy
 	kubie ctx kind-test --namespace kube-system
 	helm upgrade secret-manager $(HELM_DIR)/. -f values.yaml --set image.tag=$(IMG_TAG),image.pullPolicy=IfNotPresent,installCRDs=true --namespace kube-system --install
 
-
 docker-push: ## Push the docker image
 	docker push ${IMG}
 
+helm-docs: ## Generate helm docs
+	cd $(HELM_DIR); \
+	docker run --rm -v $(shell pwd)/$(HELM_DIR):/helm-docs -u $(shell id -u) jnorwood/helm-docs:latest
+
 # find or download controller-gen
 # download controller-gen if necessary
 controller-gen:

cmd/controller/app/options/options.go

@@ -50,51 +50,36 @@ type ControllerOptions struct {
 	MinTLSVersion string
 }
 
-var (
-	defaultEnabledControllers = make([]string, 0)
-)
-
 func (s *ControllerOptions) InitFlags(fs *pflag.FlagSet) {
-	fs.StringVar(&s.APIServerHost, "master", "", ""+
-		"Optional apiserver host address to connect to. If not specified, autoconfiguration "+
-		"will be attempted.")
-	fs.StringVar(&s.Kubeconfig, "kubeconfig", "", ""+
-		"Paths to a kubeconfig. Only required if out-of-cluster.")
-	fs.StringVar(&s.Namespace, "namespace", "", ""+
+	fs.StringVar(&s.APIServerHost, "master", "",
+		"Optional ApiServer host address to connect to. If not specified, autoconfiguration will be attempted.")
+	fs.StringVar(&s.Kubeconfig, "kubeconfig", "",
+		"Path to a kubeconfig. Only required if out-of-cluster.")
+	fs.StringVar(&s.Namespace, "namespace", "",
 		"If set, this limits the scope of secret-manager to a single namespace and ClusterSecretStores are disabled. "+
-		"If not specified, all namespaces will be watched")
-
-	fs.BoolVar(&s.LeaderElect, "leader-elect", true, ""+
+			"If not specified, all namespaces will be watched")
+	fs.BoolVar(&s.LeaderElect, "leader-elect", true,
 		"If true, secret-manager will perform leader election between instances to ensure no more "+
-		"than one instance of secret-manager operates at a time")
-	fs.StringVar(&s.LeaderElectionNamespace, "leader-election-namespace", "kube-system", ""+
+			"than one instance of secret-manager operates at a time")
+	fs.StringVar(&s.LeaderElectionNamespace, "leader-election-namespace", "kube-system",
 		"Namespace used to perform leader election. Only used if leader election is enabled")
-	fs.DurationVar(&s.LeaderElectionLeaseDuration, "leader-election-lease-duration", 60*time.Second, ""+
+	fs.DurationVar(&s.LeaderElectionLeaseDuration, "leader-election-lease-duration", 60*time.Second,
 		"The duration that non-leader candidates will wait after observing a leadership "+
-		"renewal until attempting to acquire leadership of a led but unrenewed leader "+
-		"slot. This is effectively the maximum duration that a leader can be stopped "+
-		"before it is replaced by another candidate. This is only applicable if leader "+
-		"election is enabled.")
-	fs.DurationVar(&s.LeaderElectionRenewDeadline, "leader-election-renew-deadline", 45*time.Second, ""+
+			"renewal until attempting to acquire leadership of a led but un-renewed leader "+
+			"slot. This is effectively the maximum duration that a leader can be stopped "+
+			"before it is replaced by another candidate. This is only applicable if leader "+
+			"election is enabled.")
+	fs.DurationVar(&s.LeaderElectionRenewDeadline, "leader-election-renew-deadline", 45*time.Second,
 		"The interval between attempts by the acting master to renew a leadership slot "+
-		"before it stops leading. This must be less than or equal to the lease duration. "+
-		"This is only applicable if leader election is enabled.")
-	fs.DurationVar(&s.LeaderElectionRetryPeriod, "leader-election-retry-period", 15*time.Second, ""+
+			"before it stops leading. This must be less than or equal to the lease duration. "+
+			"This is only applicable if leader election is enabled.")
+	fs.DurationVar(&s.LeaderElectionRetryPeriod, "leader-election-retry-period", 15*time.Second,
 		"The duration the clients should wait between attempting acquisition and renewal "+
-		"of a leadership. This is only applicable if leader election is enabled.")
-
-	fs.StringSliceVar(&s.EnabledControllers, "controllers", defaultEnabledControllers, ""+
-		"The set of controllers to enable.")
-
-	fs.IntVar(&s.WebhookPort, "webhook-port", 8443, ""+
-		"The port number to listen on for webhook connections.")
-	fs.IntVar(&s.HealthPort, "health-port", 8400, ""+
+			"of a leadership. This is only applicable if leader election is enabled.")
+	fs.IntVar(&s.HealthPort, "health-port", 8400,
 		"The port number to listen on for health connections.")
-	fs.IntVar(&s.MetricPort, "metric-port", 9321, ""+
+	fs.IntVar(&s.MetricPort, "metric-port", 9321,
 		"The port number that the metrics endpoint should listen on.")
-
-	fs.StringVar(&s.TLSCertDir, "tls-cert-dir", "", ""+
-		"The path to TLS certificate and private key on disk.")
 }
 
 func (s *ControllerOptions) Validate() error {

deploy/charts/ct.yaml

@@ -0,0 +1,5 @@
+helm-extra-args: --timeout 600s
+chart-dirs:
+  - deploy/charts
+chart-repos:
+  - itscontained=https://charts.itscontained.io

deploy/charts/secret-manager/.helmignore

@@ -21,6 +21,7 @@
 .idea/
 *.tmproj
 .vscode/
+README.md.gotmpl
 
 # CRD README.md
 templates/crds/README.md

deploy/charts/secret-manager/Chart.yaml

@@ -1,6 +1,26 @@
 apiVersion: v2
 name: secret-manager
-description: External secret management for Kubernetes.
+description: External secret management for Kubernetes
 type: application
 version: 0.1.0
-appVersion: 0.1.0
+appVersion: 0.0.0
+keywords:
+  - kubernetes
+  - secret
+  - secretstore
+  - secret-management
+  - vault
+  - aws
+  - azure
+  - crd
+home: https://github.com/itscontained/secret-manager
+sources:
+  - https://github.com/itscontained/secret-manager
+  - https://hub.docker.com/r/itscontained/secret-manager
+  - https://quay.io/repository/itscontained/secret-manager
+  - https://github.com/orgs/itscontained/packages/container/secret-manager
+maintainers:
+  - name: DirtyCajunRice
+    email: [email protected]
+  - name: mcavoyk
+    email: [email protected]

deploy/charts/secret-manager/OWNERS

@@ -0,0 +1,6 @@
+approvers:
+  - DirtyCajunRice
+  - mcavoyk
+reviewers:
+  - DirtyCajunRice
+  - mcavoyk

deploy/charts/secret-manager/README.md.gotmpl

@@ -0,0 +1,32 @@
+{{- $valuesYAML := "https://github.com/itscontained/secret-manager/blob/master/deploy/charts/secret-manager/values.yaml" -}}
+{{- $chartRepo := "https://charts.itscontained.io" -}}
+{{- $org := "itscontained" -}}
+{{ template "chart.header" . }}
+{{ template "chart.typeBadge" . }}{{ template "chart.versionBadge" . }}{{ template "chart.appVersionBadge" . }}
+
+{{ template "chart.description" . }}
+
+## TL;DR
+```console
+$ helm repo add {{ $org }} {{ $chartRepo }}
+$ helm install {{ $org }}/{{ template "chart.name" . }}
+```
+
+## Installing the Chart
+To install the chart with the release name `{{ template "chart.name" . }}`:
+```console
+helm install {{ template "chart.name" . }} {{ $org }}/{{ template "chart.name" . }}
+```
+
+## Uninstalling the Chart
+To uninstall the `{{ template "chart.name" . }}` deployment:
+```console
+helm uninstall {{ template "chart.name" . }}
+```
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Configuration
+Read through the {{ template "chart.name" . }} [values.yaml]({{ $valuesYAML }})
+file. It has several commented out suggested values.
+
+{{ template "chart.valuesSection" . }}

deploy/charts/secret-manager/templates/deployment.yaml

@@ -36,20 +36,43 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
-          - --health-port={{ .Values.service.port}}
+            {{- if .Values.healthCheck.enabled }}
+          - --health-port={{ .Values.healthCheck.port }}
+            {{- end }}
+            {{- if .Values.prometheus.enabled }}
+          - --metric-port={{ .Values.prometheus.service.port }}
+            {{- end }}
+            {{- if .Values.namespace }}
+          - --namespace={{ .Values.namespace }}
+            {{- end }}
+            {{- if .Values.apiServerHost }}
+          - --master={{ .Values.apiServerHost }}
+            {{- end }}
+            {{- if .Values.kubeConfig }}
+          - --kubeconfig={{ .Values.kubeConfig }}
+            {{- end }}
+            {{- if .Values.leaderElect }}
+          - --leader-elect=true
           - --leader-election-namespace={{ .Release.Namespace }}
-          - --leader-elect=false
+            {{- end }}
+          {{- range $arg := .Values.extraArgs }}
+          - {{ $arg }}
+          {{- end }}
+          {{- if .Values.prometheus.enabled }}
           ports:
-            - containerPort: 9321
+            - containerPort: {{.Values.prometheus.service.port }}
               protocol: TCP
+          {{- end }}
+          {{- if .Values.healthCheck.enabled }}
           livenessProbe:
             httpGet:
               path: /health
-              port: {{ .Values.service.port}}
+              port: {{ .Values.healthCheck.port }}
           readinessProbe:
             httpGet:
               path: /ready
-              port: {{ .Values.service.port}}
+              port: {{ .Values.healthCheck.port }}
+          {{- end }}
           {{- with .Values.resources }}
           resources:
             {{- toYaml . | nindent 12 }}