feat: bump API version; add suspend feature in sops object; make sops…

…:data to map to secret:data (was secret:stringData) and sops:stringData to secret:stringData (#76)

.circleci/config.yml

@@ -287,30 +287,55 @@ jobs:
             sleep 3
             sops -e -p $FP \
               --encrypted-suffix='Templates' \
-              config/samples/isindir_v1alpha2_sopssecret.yaml \
-              > config/samples/isindir_v1alpha2_sopssecret.enc.yaml
-            file config/samples/isindir_v1alpha2_sopssecret.enc.yaml
+              config/samples/isindir_v1alpha3_sopssecret.yaml \
+              > config/samples/isindir_v1alpha3_sopssecret.enc.yaml
+            file config/samples/isindir_v1alpha3_sopssecret.enc.yaml
             echo "====================================="
-            cat config/samples/isindir_v1alpha2_sopssecret.enc.yaml
+            cat config/samples/isindir_v1alpha3_sopssecret.enc.yaml
             echo "====================================="
-            kubectl apply -f config/samples/isindir_v1alpha2_sopssecret.enc.yaml --namespace sops
+            kubectl apply -f config/samples/isindir_v1alpha3_sopssecret.enc.yaml --namespace sops
             sleep 3
             nohup make run &
             sleep 150
             kubectl get sops --namespace sops
             echo
             kubectl get secrets --namespace sops
             echo
-            export SECRETS_NUMBER=$( kubectl get secrets --namespace sops \
-              | awk '$0!~/default-token/ && $0!~/NAME/ { print $1; }' \
+            export SECRETS_NUMBER=$( kubectl get secrets --namespace sops --no-headers \
+              | awk '$0 !~ /default-token/ { print $1; }' \
               | wc -l )
-            if [[ $SECRETS_NUMBER -ne 4 ]]; then
-              echo "Expected number of secrets in sops namespace is 4 - Failed"
+            if [[ $SECRETS_NUMBER -ne 5 ]]; then
+              echo "Expected number of secrets in sops namespace is 5 - Failed"
+              tail -40 nohup.out
+              exit 1
+            fi
+            # Check specific k8s for amount of data entries
+            ## my-secret-name-0
+            export DATA_ENTRIES=$( kubectl get secrets my-secret-name-0 --namespace sops --no-headers \
+              | awk '{print $3}' )
+            if [[ $DATA_ENTRIES -ne 2 ]]; then
+              echo "Expected number of data entries in my-secret-name-0 is 2 - Failed"
+              tail -40 nohup.out
+              exit 1
+            fi
+            ## my-secret-name-1
+            export DATA_ENTRIES=$( kubectl get secrets my-secret-name-1 --namespace sops --no-headers \
+              | awk '{print $3}' )
+            if [[ $DATA_ENTRIES -ne 3 ]]; then
+              echo "Expected number of data entries in my-secret-name-1 is 3 - Failed"
+              tail -40 nohup.out
+              exit 1
+            fi
+            ## my-secret-name-2
+            export DATA_ENTRIES=$( kubectl get secrets my-secret-name-2 --namespace sops --no-headers \
+              | awk '{print $3}' )
+            if [[ $DATA_ENTRIES -ne 2 ]]; then
+              echo "Expected number of data entries in my-secret-name-2 is 2 - Failed"
               tail -40 nohup.out
               exit 1
             fi
             # Delete to check GC works
-            kubectl delete -f config/samples/isindir_v1alpha2_sopssecret.enc.yaml --namespace sops
+            kubectl delete -f config/samples/isindir_v1alpha3_sopssecret.enc.yaml --namespace sops
             sleep 15
             kubectl get sops --namespace sops
             echo

Makefile

@@ -1,5 +1,5 @@
 GO := GOPROXY=https://proxy.golang.org go
-SOPS_SEC_OPERATOR_VERSION := 0.2.2
+SOPS_SEC_OPERATOR_VERSION := 0.3.0
 
 # https://github.com/kubernetes-sigs/controller-tools/releases
 CONTROLLER_GEN_VERSION := "v0.4.1"

PROJECT

@@ -11,6 +11,6 @@ resources:
   domain: github.com
   group: isindir
   kind: SopsSecret
-  path: github.com/isindir/sops-secrets-operator/api/v1alpha2
-  version: v1alpha2
+  path: github.com/isindir/sops-secrets-operator/api/v1alpha3
+  version: v1alpha3
 version: "3"

README.md

@@ -142,26 +142,37 @@ helm upgrade --install sops chart/helm3/sops-secrets-operator/ \
 
 ```yaml
 cat >jenkins-secrets.yaml <<EOF
-apiVersion: isindir.github.com/v1alpha2
+apiVersion: isindir.github.com/v1alpha3
 kind: SopsSecret
 metadata:
   name: example-sopssecret
 spec:
+  # suspend reconciliation of the sops secret object
+  suspend: false
   secretTemplates:
+    - name: my-secret-name-1
+      labels:
+        label1: value1
+      annotations:
+        key1: value1
+      stringData:
+        data-name0: data-value0
+      data:
+        data-name1: ZGF0YS12YWx1ZTE=
     - name: jenkins-secret
       labels:
         "jenkins.io/credentials-type": "usernamePassword"
       annotations:
         "jenkins.io/credentials-description" : "credentials from Kubernetes"
-      data:
+      stingData:
         username: myUsername
         password: 'Pa$$word'
     - name: some-token
-      data:
+      stringData:
         token: Wb4ziZdELkdUf6m6KtNd7iRjjQRvSeJno5meH4NAGHFmpqJyEsekZ2WjX232s4Gj
     - name: docker-login
       type: 'kubernetes.io/dockerconfigjson'
-      data:
+      stringData:
         .dockerconfigjson: '{"auths":{"index.docker.io":{"username":"imyuser","password":"mypass","email":"[email protected]","auth":"aW15dXNlcjpteXBhc3M="}}}'
 EOF
 ```

api/v1alpha2/groupversion_info.go → api/v1alpha3/groupversion_info.go

@@ -1,11 +1,7 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
-
-// Package v1alpha2 contains API Schema definitions for the isindir v1alpha2 API group
+// Package v1alpha3 contains API Schema definitions for the isindir v1alpha3 API group
 //+kubebuilder:object:generate=true
 //+groupName=isindir.github.com
-package v1alpha2
+package v1alpha3
 
 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -14,7 +10,7 @@ import (
 
 var (
 	// GroupVersion is group version used to register these objects
-	GroupVersion = schema.GroupVersion{Group: "isindir.github.com", Version: "v1alpha2"}
+	GroupVersion = schema.GroupVersion{Group: "isindir.github.com", Version: "v1alpha3"}
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

api/v1alpha2/sopssecret_types.go → api/v1alpha3/sopssecret_types.go

@@ -2,7 +2,7 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
 
-package v1alpha2
+package v1alpha3
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -11,9 +11,22 @@ import (
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
 // For upstream reference, see https://github.com/mozilla/sops/blob/master/stores/stores.go
 
+// SopsSecretSpec defines the desired state of SopsSecret
+type SopsSecretSpec struct {
+	// Secrets template is a list of definitions to create Kubernetes Secrets
+	// +kubebuilder:validation:MinItems=1
+	// +required
+	SecretsTemplate []SopsSecretTemplate `json:"secretTemplates"`
+
+	// This flag tells the controller to suspend the reconciliation of this source.
+	// +optional
+	Suspend bool `json:"suspend,omitempty"`
+}
+
 // SopsSecretTemplate defines the map of secrets to create
 type SopsSecretTemplate struct {
 	// Name of the Kubernetes secret to create
+	// +required
 	Name string `json:"name"`
 
 	// Annotations to apply to Kubernetes secret
@@ -31,19 +44,15 @@ type SopsSecretTemplate struct {
 	// +optional
 	Type string `json:"type,omitempty"`
 
-	// Data map to use in Kubernetes secret (equivalent to Kubernetes Secret object stringData, please see for more
+	// Data map to use in Kubernetes secret (equivalent to Kubernetes Secret object data, please see for more
 	// information: https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
-	Data map[string]string `json:"data"`
-}
-
-// SopsSecretSpec defines the desired state of SopsSecret
-type SopsSecretSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
+	// +optional
+	Data map[string]string `json:"data,omitempty"`
 
-	// Secrets template is a list of definitions to create Kubernetes Secrets
-	//+kubebuilder:validation:MinItems=1
-	SecretsTemplate []SopsSecretTemplate `json:"secretTemplates"`
+	// stringData map to use in Kubernetes secret (equivalent to Kubernetes Secret object stringData, please see for more
+	// information: https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
+	// +optional
+	StringData map[string]string `json:"stringData,omitempty"`
 }
 
 // KmsDataItem defines AWS KMS specific encryption details

chart/helm3/sops-secrets-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-version: 0.8.4
-appVersion: 0.2.2
+version: 0.9.0
+appVersion: 0.3.0
 type: application
 description: Helm chart deploys sops-secrets-operator
 name: sops-secrets-operator
@@ -23,7 +23,7 @@ metadata:
     artifacthub.io/operatorCapabilities: "Full Lifecycle"
     artifacthub.io/crds:
     - kind: SopsSecret
-      version: isindir.github.com/v1alpha2
+      version: isindir.github.com/v1alpha3
       name: sopssecret
       displayName: SopsSecret
       description: SopsSecret - encapsulates sops encrypted kubernetes secrets definitions

chart/helm3/sops-secrets-operator/README.md

@@ -131,7 +131,7 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | healthProbes.readiness | object | `{"initialDelaySeconds":5,"periodSeconds":10}` | Readiness probe configuration |
 | image.pullPolicy | string | `"Always"` | Operator image pull policy |
 | image.repository | string | `"isindir/sops-secrets-operator"` | Operator image name |
-| image.tag | string | `"0.2.2"` | Operator image tag |
+| image.tag | string | `"0.3.0"` | Operator image tag |
 | imagePullSecrets | list | `[]` | Secrets to pull image from private docker repository |
 | kubeconfig | object | `{"enabled":false,"path":null}` | Paths to a kubeconfig. Only required if out-of-cluster. |
 | logging | object | `{"encoder":"json","level":"info","stacktraceLevel":"error"}` | Logging configuration section suggested values Development Mode (encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode (encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default) |

chart/helm3/sops-secrets-operator/tests/operator_test.yaml

@@ -30,8 +30,8 @@ tests:
             app.kubernetes.io/instance: sops
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: sops-secrets-operator
-            app.kubernetes.io/version: 0.2.2
-            helm.sh/chart: sops-secrets-operator-0.8.4
+            app.kubernetes.io/version: 0.3.0
+            helm.sh/chart: sops-secrets-operator-0.9.0
 
   # template metadata and spec selector
   - it: should correctly render template metadata and spec selector
@@ -140,7 +140,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: isindir/sops-secrets-operator:0.2.2
+          value: isindir/sops-secrets-operator:0.3.0
       - equal:
           path: spec.template.spec.containers[0].imagePullPolicy
           value: Always

chart/helm3/sops-secrets-operator/values.yaml

@@ -12,7 +12,7 @@ image:
   # -- Operator image name
   repository: isindir/sops-secrets-operator
   # -- Operator image tag
-  tag: 0.2.2
+  tag: 0.3.0
   # -- Operator image pull policy
   pullPolicy: Always
 

config/crd/bases/isindir.github.com_sopssecrets.yaml

@@ -22,7 +22,7 @@ spec:
     - jsonPath: .status.message
       name: Status
       type: string
-    name: v1alpha2
+    name: v1alpha3
     schema:
       openAPIV3Schema:
         description: SopsSecret is the Schema for the sopssecrets API
@@ -178,8 +178,8 @@ spec:
                       additionalProperties:
                         type: string
                       description: 'Data map to use in Kubernetes secret (equivalent
-                        to Kubernetes Secret object stringData, please see for more
-                        information: https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)'
+                        to Kubernetes Secret object data, please see for more information:
+                        https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)'
                       type: object
                     labels:
                       additionalProperties:
@@ -189,18 +189,28 @@ spec:
                     name:
                       description: Name of the Kubernetes secret to create
                       type: string
+                    stringData:
+                      additionalProperties:
+                        type: string
+                      description: 'stringData map to use in Kubernetes secret (equivalent
+                        to Kubernetes Secret object stringData, please see for more
+                        information: https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)'
+                      type: object
                     type:
                       description: 'Kubernetes secret type. Default: Opauqe. Possible
                         values: Opauqe, kubernetes.io/service-account-token, kubernetes.io/dockercfg,
                         kubernetes.io/dockerconfigjson, kubernetes.io/basic-auth,
                         kubernetes.io/ssh-auth, kubernetes.io/tls, bootstrap.kubernetes.io/token'
                       type: string
                   required:
-                  - data
                   - name
                   type: object
                 minItems: 1
                 type: array
+              suspend:
+                description: This flag tells the controller to suspend the reconciliation
+                  of this source.
+                type: boolean
             required:
             - secretTemplates
             type: object

config/samples/isindir_v1alpha2_sopssecret.yaml → config/samples/isindir_v1alpha3_sopssecret.yaml

@@ -1,7 +1,7 @@
-apiVersion: isindir.github.com/v1alpha2
+apiVersion: isindir.github.com/v1alpha3
 kind: SopsSecret
 metadata:
-  name: example-sopssecret
+  name: sopssecret-sample
 spec:
   secretTemplates:
     - name: my-secret-name-0
@@ -11,28 +11,36 @@ spec:
       annotations:
         key0: value0
         keyN: valueN
-      data:
+      stringData:
         data-name0: data-value0
         data-nameL: data-valueL
-    - name: my-secret-name-z
+    - name: my-secret-name-1
       labels:
-        label0: value0
-        labelK: valueK
+        label1: value1
       annotations:
-        key0: value0
-        keyN: valueN
+        key1: value1
       data:
+        data-name1: ZGF0YS12YWx1ZTE=
+        data-nameM: ZGF0YS12YWx1ZU0=
+      stringData:
         data-name0: data-value0
-        data-nameL: data-valueL
+    - name: my-secret-name-2
+      labels:
+        label1: value1
+      annotations:
+        key1: value1
+      data:
+        data-name1: ZGF0YS12YWx1ZTE=
+        data-nameM: ZGF0YS12YWx1ZU0=
     - name: jenkins-secret
       labels:
         "jenkins.io/credentials-type": "usernamePassword"
       annotations:
         "jenkins.io/credentials-description" : "credentials from Kubernetes"
-      data:
+      stringData:
         username: myUsername
         password: 'Pa$$word'
     - name: docker-login
       type: 'kubernetes.io/dockerconfigjson'
-      data:
+      stringData:
         .dockerconfigjson: '{"auths":{"index.docker.io":{"username":"imyuser","password":"mypass","email":"[email protected]","auth":"aW15dXNlcjpteXBhc3M="}}}'