refactor(charts/injector): improve upgrade directions for cert reinst…

…allation (#125)

Related to #124

- Improve helm chart install and upgrade directions to help with reset
of the self signed cert.
- Add a check for the expiration of the existing cert in the next n days
and log this.
- Align the secret type to tls type.
- Expose `webhookCertExpireDays` with a default of 365 days.
- Chart doesn't try to recreate secret, instead gives kubectl command to
do this as hook life cycles aren't a straight forward to do this without
errors I can't easily test for.

fixes
[AB#590946](https://thycotic.visualstudio.com/4a89362e-1361-424f-a291-a8f57c2a8991/_workitems/edit/590946)
fixes #124

---

For more details, open the [Copilot Workspace
session](https://copilot-workspace.githubnext.com/DelineaXPM/dsv-k8s/issues/124?shareId=1fba5ec4-ec09-46f8-8477-05bc72386546).

.changes/v1.2.3.md

@@ -0,0 +1,11 @@
+## v1.2.3 - 2024-08-12
+
+
+### 🤖 CI & Build
+
+- Add a buildName metadata to binary so easy to see if caching issue with container loading. Handle `dev.local/dsv-k8s` as standard image name to better reflect standard approach I've been using. Improve validation checks. Goreleaser upgrade schema and more. Lots of quality of life improvements for dev, and aqua updates.
+
+### 🔨 Refactor
+
+- Improve `values.yml` for the dsv-injector to expose the days till expiration of the self signed cert.
+Include minor doc improvements to this as well to better handle.

.golangci.yml

@@ -1,22 +1,17 @@
 ---
 output:
-  format: tab
+  formats:
+    - format: tab
 linters-settings:
   misspell:
     locale: US
-  gomnd:
-    settings:
-      mnd:
-        checks: [argument, case, condition, return]
-        ignored-functions: strconv.ParseFloat,rsa.GenerateKey
+
   nolintlint:
     allow-unused: false
-    allow-leading-space: true
     allow-no-explanation: []
     require-explanation: true
     require-specific: true
   gofumpt:
-    lang-version: '1.18'
     extra-rules: true
   godox:
     keywords:
@@ -33,45 +28,45 @@ linters-settings:
       - ^[ ]*@
     capital: true
   depguard:
-    list-type: blacklist
-    include-go-root: true
-    includeGoStdLib: true
-    packages:
-      - github.com/sirupsen/logrus
-    packages-with-error-message:
-      - github.com/sirupsen/logrus: logging is allowed only by zerolog. Please use zerolog
-      - io/ioutil: 'io/ioutil was deprecated in Go 1.16: https://tip.golang.org/doc/go1.16'
-    gomodguard:
-      blocked:
-        modules:
-          - github.com/sirupsen/logrus:
-              recommendations:
-                - internal/logging
-              reason: logging is allowed only by zerolog. Please use zerolog
-        local_replace_directives: false
+    rules:
+      main:
+        deny:
+          - pkg: 'github.com/sirupsen/logrus'
+            desc: use zerolog
+          - pkg: log
+            desc: use zerolog
+          - pkg: 'github.com/pkg/errors'
+            desc: Should be replaced by standard lib errors package
+
+    # gomodguard:
+    #   blocked:
+    #     modules:
+    #       - github.com/sirupsen/logrus:
+    #           recommendations:
+    #             - internal/logging
+    #           reason: logging is allowed only by zerolog. Please use zerolog
+    #     local_replace_directives: false
   tagliatelle:
     case:
       use-field-name: true
       rules:
-        json: kebab
+        json: snake
         yaml: kebab
         xml: camel
         bson: camel
         avro: snake
         mapstructure: kebab
-    errcheck:
-      check-type-assertions: true
-      check-blank: false
-      ignore: fmt:.*,io/ioutil:^Read.*
-      exclude-functions:
-        - io/ioutil.ReadFile
-        - io.Copy(*bytes.Buffer)
-        - io.Copy(os.Stdout)
-        - io.Closer.Close
-        - io.Closer.Body.Close
+  errcheck:
+    check-type-assertions: true
+    check-blank: false
+    exclude-functions:
+      - io/ioutil.ReadFile
+      - io.Copy(*bytes.Buffer)
+      - io.Copy(os.Stdout)
+      - io.Closer.Close
+      - io.Closer.Body.Close
   govet:
     enable-all: true
-    check-shadowing: true
     disable:
       - fieldalignment
     settings:
@@ -99,18 +94,22 @@ linters-settings:
       - ok
       - zl
       - fs
-    disable:
-      - fieldalignment
+
   revive:
     ignore-generated-header: true
-    enableAllRules: true
-    exclude:
-      - .*_test.go
+    enable-all-rules: true
     rules:
       - name: var-naming
         severity: error
+      - name: line-length-limit
+        severity: warning
+        arguments:
+          - 400
+      - name: function-length
+        severity: warning
+        arguments: [20, 5000]
+
 linters:
-  exclude-use-default: false
   enable-all: true
   disable:
     - scopelint
@@ -143,14 +142,12 @@ linters:
     - rowserrcheck # disabled due to generics, can enable in future if needed
     - sqlclosecheck # disabled due to generics, can enable in future if needed
     - wastedassign # disabled due to generics, can enable in future if needed
+    - funlen #OVERRIDE: ok using for bot, lots of quick long commands i worked on
+    - cyclop #OVERRIDE: ok using for bot, lots of quick long commands i worked on
+    - gocognit #OVERRIDE: ok using for bot, lots of quick long commands i worked on
+
 run:
-  skip-dirs-use-default: true
-  skip-dirs:
-    - build
-    - artifacts
-    - _tools
-    - vendor
-    - vendor$
+  timeout: 5m
   build-tags:
     - mage
     - tools
@@ -182,6 +179,17 @@ issues:
         - maintidx
         - deadcode
         - gochecknoglobals
+    - path: magefile.go
+      linters:
+        - goerr113
+        - wrapcheck
+        - funlen
+        - gocyclo
+        - cyclop
+        - gocognit
+        - maintidx
+        - deadcode
+        - gochecknoglobals
     - linters:
         - goerr113
       text: magefiles don't need to worry about wrapping in the same way
@@ -194,3 +202,12 @@ issues:
         - godot
       text: mocked files do not need to be checked
   whole-files: false
+  exclude-dirs:
+    - build
+    - .artifacts
+    - .cache
+    - artifacts
+    - .trunk
+    - _tools
+    - vendor
+    - vendor$

.markdownlint.yaml

@@ -1,6 +1,5 @@
 ---
 #https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md#md002
-comment: my-markdown-linting-rules
 
 # enable all default tagged rules
 default: true
@@ -43,13 +42,11 @@ MD025: true
 # This is for maintainability and code diffs.
 # Try applying semantic line break concept for breaking up longer phrases
 # https://sembr.org/
-MD013:
-  line_length: 200
+MD013: false
 
 # MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
 # This tweaks to allow nested items to have duplicate headers.
 MD024:
-  # Only check sibling headings
-  allow_different_nesting: true
   # Only check sibling headings
   siblings_only: true
+MD034: false

.npmrc

@@ -0,0 +1 @@
+v20.15.0

.trunk/trunk.yaml

@@ -45,11 +45,11 @@ lint:
     - linters: [gitleaks]
       level: high
   disabled:
+    - gokart
     - cspell
     - gofmt
   enabled:
     - checkov@3.2.128
-    - gokart@0.5.1
     - osv-scanner@1.7.4
     - terrascan@1.19.1
     - trivy@0.52.0

CHANGELOG.md

@@ -6,6 +6,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html),
 and is generated by [Changie](https://github.com/miniscruff/changie).
 
+## v1.2.3 - 2024-08-12
+
+### 🤖 CI & Build
+
+- Add a buildName metadata to binary so easy to see if caching issue with container loading. Handle `dev.local/dsv-k8s` as standard image name to better reflect standard approach I've been using. Improve validation checks. Goreleaser upgrade schema and more. Lots of quality of life improvements for dev, and aqua updates.
+
+### 🔨 Refactor
+
+- Improve `values.yml` for the dsv-injector to expose the days till expiration of the self signed cert.
+  Include minor doc improvements to this as well to better handle.
+
 ## v1.2.2 - 2024-01-15
 
 ### ⬆️ Dependencies

charts/dsv-injector/Chart.yaml

@@ -8,7 +8,7 @@ description: |
   NAMESPACE='dsv'
   CREDENTIALS_JSON_FILE='.cache/credentials.json' # replace with your credentials file
   IMAGE_REPOSITORY='docker.io/delineaxpm/dsv-k8s'
-  IMAGE_TAG='v1.2.2' # use latest for test, but pin to a specific version for production
+  IMAGE_TAG='v1.2.3' # use latest for test, but pin to a specific version for production
 
   helm install \
       --namespace $NAMESPACE \
@@ -18,18 +18,48 @@ description: |
       --set image.tag=${IMAGE_TAG} \
       --atomic \
       --timeout "5m" \
-      --debug -v4 \ # optional --values ./myvaluesfile/values.yaml \
+      --debug -v4 \ # optional for local test iteration --values .cache/charts/dsv-injector/values.yaml \
       dsv-injector ./charts/dsv-injector
   ```
 
+  An upgrade to the existing deployment can be done with:
+
+  ```shell
+  helm upgrade \
+    --namespace $NAMESPACE \
+    --atomic \
+    --timeout "5m" \
+    --debug -v4 \
+    dsv-injector ./charts/dsv-injector
+  ```
+
+  To upgrade, ensuring that the current self signed cert that is deployed by default (if not using your own CA), run the commands below to ensure the prior hook and secret are removed so they can be recreated with the newly generated cert.
+
+  ```shell
+  kubectl --namespace $NAMESPACE delete mutatingwebhookconfiguration dsv-injector \
+  && kubectl --namespace $NAMESPACE delete secret --timeout "5m" dsv-injector-tls \
+  && helm upgrade \
+    --namespace $NAMESPACE \
+    --atomic \
+    --timeout "5m" \
+    --debug -v4 \
+    dsv-injector ./charts/dsv-injector
+  ```
+
+  To uninstall the deployment, you can run:
+
+  ```shell
+  helm uninstall --namespace $NAMESPACE dsv-injector
+  ```
+
 keywords:
   - Delinea
   - DevOps
   - DSV
   - secrets
   - vault
 type: application
-version: v1.2.2
+version: v1.2.3
 appVersion: latest
 maintainers:
   - name: Sheldon Hull