fix: update RBAC for operator to be able to create leases and resched…

…uling reconcile loop when operator fails to create secrets (#70)
isindir · May 16, 2021 · 0555df5 · 0555df5
1 parent 3f9f491
commit 0555df5
Show file tree

Hide file tree

Showing 13 changed files with 107 additions and 82 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -10,11 +10,11 @@ jobs:
       image: ubuntu-2004:202010-01
     environment:
       # https://golang.org/dl/
-      GOLANG_VERSION: 1.16.3
+      GOLANG_VERSION: 1.16.4
       # https://github.com/kubernetes-sigs/kubebuilder/releases
       KUBEBUILDER_VERSION: 3.0.0
       # https://github.com/kubernetes-sigs/kustomize/releases
-      KUSTOMIZE_VERSION: v4.0.5
+      KUSTOMIZE_VERSION: v4.1.2
       # https://github.com/github/hub/releases
       HUB_VERSION: 2.14.2
       # https://github.com/git-chglog/git-chglog/releases
@@ -98,19 +98,19 @@ jobs:
       image: ubuntu-2004:202010-01
     environment:
       # https://github.com/kubernetes/kubernetes/releases
-      K8S_VERSION: v1.20.6
+      K8S_VERSION: v1.20.7
       # https://github.com/rancher/k3d/releases
-      K3D_VERSION: v4.4.1
+      K3D_VERSION: v4.4.3
       # https://github.com/helm/helm/releases
       HELM_VERSION: v3.5.4
       # https://golang.org/dl/
-      GOLANG_VERSION: 1.16.3
+      GOLANG_VERSION: 1.16.4
       # https://github.com/kubernetes-sigs/kubebuilder/releases
       KUBEBUILDER_VERSION: 3.0.0
       # https://github.com/mozilla/sops/releases
       SOPS_VERSION: v3.7.1
       # https://github.com/kubernetes-sigs/kustomize/releases
-      KUSTOMIZE_VERSION: v4.0.5
+      KUSTOMIZE_VERSION: v4.1.2
       # https://github.com/quintush/helm-unittest/releases
       HELM_UNITTEST_VERSION: 0.2.6
       # https://github.com/instrumenta/kubeval/releases
@@ -238,24 +238,24 @@ jobs:
             kubectl version
             kubectl describe node k3d-operator-server-0
             kubectl describe node k3d-operator-agent-0
-      - run:
-          name: Docker build
-          command: |
-            make docker-login
-            make docker-cross-build
       - run:
           name: make test
           command: |
             make test
-      - save_cache:
-          key: v2-modules-{{ .Branch }}-{{ checksum "go.sum" }}
-          paths:
-            - "/home/circleci/gogo/pkg"
       # run helm tests
       - run:
           name: Test helm charts
           command: |
             make test-helm
+      - run:
+          name: Docker build
+          command: |
+            make docker-login
+            make docker-cross-build
+      - save_cache:
+          key: v2-modules-{{ .Branch }}-{{ checksum "go.sum" }}
+          paths:
+            - "/home/circleci/gogo/pkg"
       # tests start here
       - run:
           name: Run Local Tests

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -9,7 +9,7 @@ repos:
       # The `./` makes it relative to the chart-search-root set above
       - --template-files=./README.md.gotmpl
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.4.0
+  rev: v4.0.0
   hooks:
   - id: check-symlinks
   - id: check-merge-conflict

diff --git a/.tool-versions b/.tool-versions
@@ -1,8 +1,16 @@
+# https://github.com/kubernetes-sigs/kubebuilder/releases
 kubebuilder 3.0.0
-golang 1.16.3
+# https://golang.org/dl/
+golang 1.16.4
+# https://github.com/mozilla/sops/releases
 sops 3.7.1
-kustomize 4.0.5
-k3d 4.4.1
-kubectl 1.20.6
+# https://github.com/kubernetes-sigs/kustomize/releases
+kustomize 4.1.2
+# https://github.com/rancher/k3d/releases
+k3d 4.4.3
+# https://github.com/kubernetes/kubernetes/releases
+kubectl 1.20.7
+# https://github.com/helm/helm/releases
 helm 3.5.4
+# https://github.com/instrumenta/kubeval/releases
 kubeval v0.16.1
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # Build the manager binary
 # https://hub.docker.com/_/golang?tab=tags&page=1&ordering=last_updated
-FROM golang:1.16.3-buster as builder
+FROM golang:1.16.4-buster as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -19,7 +19,7 @@ COPY controllers/ controllers/
 RUN CGO_ENABLED=0 GO111MODULE=on go build -a -o manager main.go
 
 # https://hub.docker.com/_/debian?tab=tags&page=1&ordering=last_updated
-FROM debian:buster-20210408
+FROM debian:buster-20210511
 
 RUN apt-get -y update \
       && apt-get -y upgrade \

diff --git a/Makefile b/Makefile
@@ -1,9 +1,9 @@
-GO := GO15VENDOREXPERIMENT=1 GO111MODULE=on GOPROXY=https://proxy.golang.org go
-SOPS_SEC_OPERATOR_VERSION := 0.2.0
+GO := GOPROXY=https://proxy.golang.org go
+SOPS_SEC_OPERATOR_VERSION := 0.2.1
 
 # https://github.com/kubernetes-sigs/controller-tools/releases
 CONTROLLER_GEN_VERSION := "v0.4.1"
-KUSTOMIZE_VERSION := "v4.0.5"
+KUSTOMIZE_VERSION := "v4.1.2"
 
 # Use existing cluster instead of starting processes
 USE_EXISTING_CLUSTER ?= true
@@ -76,7 +76,7 @@ test-helm: ## Tests helm chart.
 
 ##@ Development
 
-manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
+manifests: tidy controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
 generate: controller-gen tidy ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.

diff --git a/chart/helm3/sops-secrets-operator/Chart.yaml b/chart/helm3/sops-secrets-operator/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-version: 0.8.1
-appVersion: 0.2.0
+version: 0.8.2
+appVersion: 0.2.1
 type: application
 description: Helm chart deploys sops-secrets-operator
 name: sops-secrets-operator

diff --git a/chart/helm3/sops-secrets-operator/README.md b/chart/helm3/sops-secrets-operator/README.md
@@ -131,7 +131,7 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | healthProbes.readiness | object | `{"initialDelaySeconds":5,"periodSeconds":10}` | Readiness probe configuration |
 | image.pullPolicy | string | `"Always"` | Operator image pull policy |
 | image.repository | string | `"isindir/sops-secrets-operator"` | Operator image name |
-| image.tag | string | `"0.2.0"` | Operator image tag |
+| image.tag | string | `"0.2.1"` | Operator image tag |
 | imagePullSecrets | list | `[]` | Secrets to pull image from private docker repository |
 | kubeconfig | object | `{"enabled":false,"path":null}` | Paths to a kubeconfig. Only required if out-of-cluster. |
 | logging | object | `{"encoder":"json","level":"info","stacktraceLevel":"error"}` | Logging configuration section suggested values Development Mode (encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode (encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default) |

diff --git a/chart/helm3/sops-secrets-operator/templates/cluster_role.yaml b/chart/helm3/sops-secrets-operator/templates/cluster_role.yaml
@@ -11,10 +11,7 @@ rules:
   resources:
   - leases
   verbs:
-  - get
-  - patch
-  - update
-  - watch
+  - '*'
 - apiGroups:
   - ""
   resources:

diff --git a/chart/helm3/sops-secrets-operator/tests/operator_test.yaml b/chart/helm3/sops-secrets-operator/tests/operator_test.yaml
@@ -30,8 +30,8 @@ tests:
             app.kubernetes.io/instance: sops
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: sops-secrets-operator
-            app.kubernetes.io/version: 0.2.0
-            helm.sh/chart: sops-secrets-operator-0.8.1
+            app.kubernetes.io/version: 0.2.1
+            helm.sh/chart: sops-secrets-operator-0.8.2
 
   # template metadata and spec selector
   - it: should correctly render template metadata and spec selector
@@ -140,7 +140,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: isindir/sops-secrets-operator:0.2.0
+          value: isindir/sops-secrets-operator:0.2.1
       - equal:
           path: spec.template.spec.containers[0].imagePullPolicy
           value: Always

diff --git a/chart/helm3/sops-secrets-operator/values.yaml b/chart/helm3/sops-secrets-operator/values.yaml
@@ -12,7 +12,7 @@ image:
   # -- Operator image name
   repository: isindir/sops-secrets-operator
   # -- Operator image tag
-  tag: 0.2.0
+  tag: 0.2.1
   # -- Operator image pull policy
   pullPolicy: Always
 

diff --git a/controllers/sopssecret_controller.go b/controllers/sopssecret_controller.go
@@ -162,7 +162,7 @@ func (r *SopsSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 				"error",
 				err,
 			)
-			return reconcile.Result{}, nil
+			return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(r.RequeueAfter) * time.Minute}, nil
 		}
 
 		if !metav1.IsControlledBy(foundSecret, instance) {
@@ -176,7 +176,7 @@ func (r *SopsSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 				"error",
 				fmt.Errorf("sopssecret has a conflict with existing kubernetes secret resource, potential reasons: target secret already pre-existed or is managed by multiple sops secrets"),
 			)
-			return reconcile.Result{}, nil
+			return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(r.RequeueAfter) * time.Minute}, nil
 		}
 
 		origSecret := foundSecret
@@ -207,7 +207,7 @@ func (r *SopsSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 					"error",
 					err,
 				)
-				return reconcile.Result{}, nil
+				return reconcile.Result{Requeue: true, RequeueAfter: time.Duration(r.RequeueAfter) * time.Minute}, nil
 			}
 			r.Log.Info(
 				"Secret successfully refreshed",
-Original file line number
+Diff line change
@@ Expand Up / @@ -11,10 +11,7 @@ rules: @@
       resources:
       - leases
       verbs:
-      - get
-      - patch
-      - update
-      - watch
+      - '*'
     - apiGroups:
       - ""
       resources:
@@ Expand Down @@