feat: update operator-sdk and golang; add ability to specify kube sec…

…ret type (#10)

.circleci/config.yml

@@ -9,9 +9,9 @@ jobs:
     machine:
       image: ubuntu-1604:202004-01
     environment:
-      GOLANG_VERSION: 1.14.2
+      GOLANG_VERSION: 1.14.4
       # https://github.com/operator-framework/operator-sdk/releases
-      OPERATOR_SDK_VERSION: v0.13.0
+      OPERATOR_SDK_VERSION: v0.18.2
       # https://github.com/github/hub/releases
       HUB_VERSION: 2.14.2
       # https://github.com/git-chglog/git-chglog/releases
@@ -80,10 +80,10 @@ jobs:
       # https://github.com/kubernetes-sigs/kind/releases
       KIND_VERSION: v0.8.1
       # https://github.com/helm/helm/releases
-      HELM_VERSION: v3.2.1
-      GOLANG_VERSION: 1.14.2
+      HELM_VERSION: v3.2.4
+      GOLANG_VERSION: 1.14.4
       # https://github.com/operator-framework/operator-sdk/releases
-      OPERATOR_SDK_VERSION: v0.13.0
+      OPERATOR_SDK_VERSION: v0.18.2
       # https://github.com/mozilla/sops/releases
       SOPS_VERSION: v3.5.0
 
@@ -147,7 +147,7 @@ jobs:
       - run:
           name: start kind
           command: |
-            kind create cluster --name operator
+            kind create cluster --quiet --name operator
             JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status};{end}{end}';
             until kubectl get nodes -o jsonpath="$JSONPATH" 2>&1 | grep -q "Ready=True"; do
               sleep 1;
@@ -166,7 +166,7 @@ jobs:
             sudo mv linux-amd64/helm /usr/local/bin/
             rm -fr linux-amd64
             helm version
-      # real fun starts here
+      # build starts here
       - run:
           name: Fetch Go dependencies
           command: |
@@ -179,6 +179,7 @@ jobs:
           key: v2-modules-{{ .Branch }}-{{ checksum "go.sum" }}
           paths:
             - "/home/circleci/gogo/pkg"
+      # tests start here
       - run:
           name: Run Local Tests
           command: |
@@ -214,16 +215,17 @@ jobs:
             kubectl apply -f 00init.enc.yaml --namespace sops
             sleep 3
             nohup make run/local &
-            sleep 75
+            sleep 150
             kubectl get sops --namespace sops
             echo
             kubectl get secrets --namespace sops
             echo
             export SECRETS_NUMBER=$( kubectl get secrets --namespace sops \
               | awk '$0!~/default-token/ && $0!~/NAME/ { print $1; }' \
               | wc -l )
-            if [[ $SECRETS_NUMBER -ne 3 ]]; then
-              echo "Expected number of secrets in sops namespace is 3 - Failed"
+            if [[ $SECRETS_NUMBER -ne 4 ]]; then
+              echo "Expected number of secrets in sops namespace is 4 - Failed"
+              tail -40 nohup.out
               exit 1
             fi
             # Delete to check GC works

Makefile

@@ -129,7 +129,7 @@ test/unit:
 ## test/e2e: runs e2e tests
 test/e2e:
 	@echo "Running e2e tests"
-	@operator-sdk test local ./test/e2e --up-local --namespace sops
+	@operator-sdk test local ./test/e2e --up-local --operator-namespace sops
 	@echo
 
 .PHONY: test/operator
@@ -145,7 +145,7 @@ test: test/operator
 .PHONY: run/local
 ## run/local: runs operator in local mode
 run/local:
-	@OPERATOR_NAME=sops-secrets-operator operator-sdk up local --namespace=sops
+	@OPERATOR_NAME=sops-secrets-operator operator-sdk run local --watch-namespace="sops"
 
 .PHONY: run/sdk
 ## run/sdk: runs sdk docker image

README.md

@@ -19,8 +19,9 @@ encrypted files stored in `git` repository.
 # Requirements for building operator from source code
 
 * sops - 3.5.0
-* operator-sdk 0.13.0
-* golang - 1.13.4
+* operator-sdk 0.18.2
+* golang - 1.14.4
+* helm - 3.+
 
 # Operator Installation
 

chart/sops-secrets-operator/Chart.yaml → chart/helm2/sops-secrets-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-version: 0.1.8
-appVersion: 0.0.9
+version: 0.1.9
+appVersion: 0.0.10
 description: sops secrets operator
 name: sops-secrets-operator
 sources:

chart/sops-secrets-operator/values.yaml → chart/helm2/sops-secrets-operator/values.yaml

@@ -6,7 +6,7 @@ replicaCount: 1
 
 image:
   repository: isindir/sops-secrets-operator
-  tag: 0.0.9
+  tag: 0.0.10
   pullPolicy: AlwaysPull
 
 imagePullSecrets: []

chart/helm3/sops-secrets-operator/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

chart/helm3/sops-secrets-operator/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+version: 0.1.0
+appVersion: 0.0.10
+type: application
+description: sops secrets operator
+name: sops-secrets-operator
+sources:
+- https://github.com/isindir/sops-secrets-operator.git
+maintainers:
+- name: isindir
+  email: [email protected]

chart/helm3/sops-secrets-operator/README.md

@@ -0,0 +1,98 @@
+# sops-secrets-operator
+
+Installs [sops-secrets-operator](https://github.com/isindir/sops-secrets-operator.git) to provide encrypted secrets in Weaveworks GitOps Flux environment.
+
+## TL;DR;
+
+```console
+$ kubectl create namespace sops
+
+$ kubectl apply -f deploy/crds/isindir_v1alpha1_sopssecret_crd.yaml
+
+$ helm upgrade --install sops chart/sops-secrets-operator/ \
+  --namespace sops -f custom.values.yaml
+```
+
+> where `custom.values.yaml` must customise deployment and configure access to Cloud KMS
+
+* AWS is supported via `kiam` namespace and pod annotations
+* GCP is supported via service account secret which allows decryption using GCP KMS
+* **TODO:** GPG support
+* **TODO:** Azure support
+
+## Introduction
+
+This chart bootstraps a [sops-secrets-operator](https://github.com/isindir/sops-secrets-operator.git) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+  - Kubernetes 1.12+
+  - helm 3.+
+
+## Installing the Chart
+
+### AWS
+
+* Deploy [kiam](https://github.com/uswitch/kiam) using [kiam chart](https://github.com/helm/charts/tree/master/stable/kiam)
+* Create IAM assume role which allows to use KMS key for decryption
+* Create Kubernetes namespace for operator deployment, with kiam annotation
+* Apply `sops-secrets-operator` CRD
+* Deploy helm chart
+
+### GCP
+
+* Create GCP Service Account which allows to use KMS to decrypt
+* Create custom values file in a following format:
+
+```yaml
+gcp:
+  enabled: true
+  svcAccSecret: |-
+    {
+      "type": "service_account",
+      ...
+    }
+```
+
+* Create Kubernetes namespace for operator deployment
+* Apply `sops-secrets-operator` CRD
+* Deploy helm chart specifying extra values file
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```console
+$ helm delete --purge sops
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Configuration
+
+The following table lists the configurable parameters of the kiam chart and their default values.
+
+Parameter | Description | Default
+--- | --- | ---
+`replicaCount` | Deployment replica count  - should not be modified | `1`
+`image.repository` | Operator image | `isindir/sops-secrets-operator`
+`image.tag` | Operator image tag | `0.0.7`
+`image.pullPolicy` | Operator image pull policy | `AlwaysPull`
+`imagePullSecrets` | Secrets to pull image from private docker repository | `[]`
+`nameOverride` | Overrides auto-generated short resource name | `""`
+`fullnameOverride` | Overrides auto-generated long resource name | `""`
+`podAnnotations` | Annotations to be added to agent pods | `{}`
+`watchNamespace` | Namespace to watch CRs, if not specified all namespaces will be watched | `""`
+`gcp.enabled` | If `true` GCP secret will be created from provided value and mounted as environment variable | `false`
+`gcp.svcAccSecretCustomName` | Name of the secret to create - will override default secret name if specified | `''`
+`gcp.svcAccSecret` | If `gcp.enabled` is `true`, this value must be specified as GCP service account secret json payload | `''`
+`nodeSelector` | Node labels for operator pod assignment | `{}`
+`resources` | Operator container resources | `{}`
+`tolerations` | Tolerations to be applied to operator pod | `[]`
+`affinity` | Node affinity for pod assignment | `{}`
+`rbac.enabled` | If `true`, create & use RBAC resources | `true`
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+
+Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
+
+> **Tip**: You can use the default [values.yaml](values.yaml)

chart/helm3/sops-secrets-operator/templates/_helpers.tpl

@@ -0,0 +1,45 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "sops-secrets-operator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "sops-secrets-operator.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "sops-secrets-operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "sops-secrets-operator.labels" -}}
+app.kubernetes.io/name: {{ include "sops-secrets-operator.name" . }}
+helm.sh/chart: {{ include "sops-secrets-operator.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}

chart/helm3/sops-secrets-operator/templates/cluster_role.yaml

@@ -0,0 +1,66 @@
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "sops-secrets-operator.fullname" . }}
+  labels:
+{{ include "sops-secrets-operator.labels" . | indent 4 }}
+    app.kubernetes.io/name: {{ include "sops-secrets-operator.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - services/finalizers
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - '*'
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  verbs:
+  - get
+  - create
+- apiGroups:
+  - apps
+  resourceNames:
+  - sops-secrets-operator
+  resources:
+  - deployments/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - get
+- apiGroups:
+  - isindir.github.com
+  resources:
+  - '*'
+  verbs:
+  - '*'
+{{- end }}

chart/helm3/sops-secrets-operator/templates/cluster_role_binding.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.rbac.enabled }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "sops-secrets-operator.fullname" . }}
+  labels:
+{{ include "sops-secrets-operator.labels" . | indent 4 }}
+    app.kubernetes.io/name: {{ include "sops-secrets-operator.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "sops-secrets-operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "sops-secrets-operator.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}