From 4c6a8ced02fa0f13ade26dbc3573f5eb849769cf Mon Sep 17 00:00:00 2001 From: Sheldon Hull Date: Wed, 30 Aug 2023 21:49:55 +0000 Subject: [PATCH 1/7] build(mage): remove cpu and memory specs on minikube call --- magefiles/minikube/minikube.mage.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/magefiles/minikube/minikube.mage.go b/magefiles/minikube/minikube.mage.go index 3712dac..9fbf659 100644 --- a/magefiles/minikube/minikube.mage.go +++ b/magefiles/minikube/minikube.mage.go @@ -25,8 +25,8 @@ func createCluster() error { "start", "--profile", constants.KindClusterName, "--namespace", constants.KubectlNamespace, - "--cpus", constants.MinikubeCPU, - "--memory", constants.MinikubeMemory, + // "--cpus", constants.MinikubeCPU, + // "--memory", constants.MinikubeMemory, } // if os.Getenv("KIND_SETUP_CONFIG") != "" { // pterm.Info.Printfln("KIND_SETUP_CONFIG: %s", os.Getenv("KIND_SETUP_CONFIG")) From 5cf451f5a6a6fece7df4af801fca73b6c18d25f9 Mon Sep 17 00:00:00 2001 From: Sheldon Hull Date: Thu, 31 Aug 2023 01:05:55 +0000 Subject: [PATCH 2/7] wip --- .envrc | 40 +++++ docs/configure.md | 17 +- examples/add-to-secret.yml | 3 +- examples/set-secret.yml | 5 +- examples/update-secret.yml | 3 +- magefiles/constants/constants.mage.go | 3 + magefiles/helm/helm.mage.go | 22 ++- magefiles/jobs.mage.go | 2 +- magefiles/k8s/k8s.mage.go | 3 +- magefiles/magefile.go | 2 + magefiles/minikube/minikube.mage.go | 10 +- magefiles/vault/vault.mage.go | 221 ++++++++++++++++++++++++++ pkg/patch/patch_test.go | 6 +- 13 files changed, 313 insertions(+), 24 deletions(-) create mode 100644 magefiles/vault/vault.mage.go diff --git a/.envrc b/.envrc index 639fc7c..89e93d8 100644 --- a/.envrc +++ b/.envrc @@ -2,6 +2,24 @@ export DIRENV_WARN_TIMEOUT='10s' export DIRENV_LOG_FORMAT="" +INFO_COLOR="\033[1;30;40m" +RESET_COLOR="\033[0m" +WARNING_COLOR="\033[33m" +END_WARNING_COLOR="\033[0m" +IMPORTANT_COLOR="\033[104;30m" +WORKING_COLOR="\033[94m" +BACKGROUND_GREEN="\033[94m" +RESET_BACKGROUND="\033[0;49m" + +# variable for setting terminal output with blue background with black text +BACKGROUND_BLUE="\033[44;30m" + +# variable for setting terminal output with light green background with black text and bold +BACKGROUND_LIGHT_GREEN="\033[1;102;30m" + +# variable for setting terminal output with light yellow background and black text that is bold +BACKGROUND_LIGHT_YELLOW="\033[1;103;30m" + source_env "$HOME" source_env_if_exists ./env/.envrc export PATH="${GOPATH}/bin:${PATH}" @@ -24,3 +42,25 @@ alias tilt="$(aqua which tilt)" alias mages="$(aqua which mage-select)" eval $(minikube docker-env) + +if [[ -f ".env" ]]; then + dotenv_if_exists ".env" +else + printf "${BACKGROUND_LIGHT_YELLOW}LOCAL ENVIRONMENT CONFIGURATION${RESET_COLOR}\n" + printf "${WARNING_COLOR}👉 .env not found\n" + printf "${WARNING_COLOR}\tSuggested fixes:\n" + printf "${WARNING_COLOR}\t\t1. create ${BACKGROUND_LIGHT_GREEN}.env${RESET_COLOR}\n" + printf "${WARNING_COLOR}\t\t2. ensure ${RESET_COLOR}${BACKGROUND_LIGHT_GREEN}.env${RESET_COLOR}${WARNING_COLOR} contains the following variables: \n\n" +fi +# Check if DSV_PROFILE_NAME is set +if [[ -z "${DSV_PROFILE_NAME}" ]]; then + printf "\t\t\t- ${WARNING_COLOR}👉 DSV_PROFILE_NAME not set${RESET_COLOR}\n" +else + printf "✔️ ${INFO_COLOR}DSV_PROFILE_NAME set${RESET_COLOR}\n" +fi +# Check if DSV_TENANT_NAME is set +if [[ -z "${DSV_TENANT_NAME}" ]]; then + printf "\t\t\t- ${WARNING_COLOR}👉 DSV_TENANT_NAME not set${RESET_COLOR}\n" +else + printf "✔️ ${INFO_COLOR}DSV_TENANT_NAME set${RESET_COLOR}\n" +fi diff --git a/docs/configure.md b/docs/configure.md index 152d3e4..7ad533e 100644 --- a/docs/configure.md +++ b/docs/configure.md @@ -3,7 +3,16 @@ This focuses on the DSV configuration required to use with Kubernetes. This applies to both local testing Kubernetes and your own seperate cluster. -## JSON Credentials for Helm Install +## Help Getting Started + +Run `mage dsv:setupdsv` to create the required DSV configuration for testing. +This requires you to have already run `dsv init` in the project and runs against the profile you specified in `.env`. +You should ensure `direnv allow` has been run and the `.env` file is loaded. +Your `zsh` terminal should warn you if you didn't create the `.env` file. + +## Manually Creating (Prior Method Before Automation) + +### JSON Credentials for Helm Install The configuration requires a JSON formatted list of Client Credential and Tenant mappings. @@ -34,7 +43,7 @@ You can place your temporary config in `.cache/credentials.json` as this is igno ### Update Manifests -This would be referenced by a Kubernetes secret with annontations like: +This would be referenced by a Kubernetes secret with annotations like: ```yaml --- @@ -44,7 +53,7 @@ metadata: name: user-domain-pass annotations: dsv.delinea.com/credentials: app1 - dsv.delinea.com/set-secret: 'k8s:sync:test' + dsv.delinea.com/set-secret: 'tests:dsv-k8s' ``` If using the provided examples, you can edit: `.cache/manifests` and adjust the secrets to map. @@ -60,7 +69,7 @@ Create the role that will allow creating a client for programmatic access ```shell dsv role create --name 'k8s' --desc 'test profile for k8s' -dsv secret create --path 'k8s:sync:test' --data '{"password": "admin","username": "admin"}' +dsv secret create --path 'tests:dsv-k8s' --data '{"password": "admin","username": "admin"}' ``` Create a policy that allows the local user to read the secret, modify this to the correct user/group mapping: diff --git a/examples/add-to-secret.yml b/examples/add-to-secret.yml index 6849bff..03ae51e 100644 --- a/examples/add-to-secret.yml +++ b/examples/add-to-secret.yml @@ -4,8 +4,9 @@ kind: Secret metadata: name: user-domain annotations: - dsv.delinea.com/add-to-secret: 'k8s:sync:test' + dsv.delinea.com/add-to-secret: 'tests:dsv-k8s' type: Opaque data: username: dW5tb2RpZmllZC11c2VybmFtZQ== domain: dW5tb2RpZmllZC1kb21haW4= + food: aW0gaHVuZ3J5IGFuZCB0aGlzIHNob3VsZCBiZSByZXBsYWNlZCB3aXRoIGdvb2QgZm9vZAo= diff --git a/examples/set-secret.yml b/examples/set-secret.yml index 9d4dc8c..ba73fd4 100644 --- a/examples/set-secret.yml +++ b/examples/set-secret.yml @@ -4,10 +4,11 @@ kind: Secret metadata: name: user-domain-pass annotations: - dsv.delinea.com/credentials: app1 # or default if not using multiple credentials - dsv.delinea.com/set-secret: 'k8s:sync:test' + # dsv.delinea.com/credentials: app1 # or default if not using multiple credentials + dsv.delinea.com/set-secret: 'tests:dsv-k8s' type: Opaque data: username: dW5tb2RpZmllZC11c2VybmFtZQ== domain: dW5tb2RpZmllZC1kb21haW4= password: dW5tb2RpZmllZC1wYXNzd29yZA== + food: aW0gaHVuZ3J5IGFuZCB0aGlzIHNob3VsZCBiZSByZXBsYWNlZCB3aXRoIGdvb2QgZm9vZAo= diff --git a/examples/update-secret.yml b/examples/update-secret.yml index aacd91d..1a8f3c0 100644 --- a/examples/update-secret.yml +++ b/examples/update-secret.yml @@ -4,8 +4,9 @@ kind: Secret metadata: name: pass-domain annotations: - dsv.delinea.com/update-secret: 'k8s:sync:test' + dsv.delinea.com/update-secret: 'tests:dsv-k8s' type: Opaque data: password: dW5tb2RpZmllZC1wYXNzd29yZA== domain: dW5tb2RpZmllZC1kb21haW4= + food: aW0gaHVuZ3J5IGFuZCB0aGlzIHNob3VsZCBiZSByZXBsYWNlZCB3aXRoIGdvb2QgZm9vZAo= diff --git a/magefiles/constants/constants.mage.go b/magefiles/constants/constants.mage.go index a54da57..04a152e 100644 --- a/magefiles/constants/constants.mage.go +++ b/magefiles/constants/constants.mage.go @@ -25,6 +25,9 @@ const ( // CacheChartsDirectory is the directory where the cached helm values file is copied to. CacheChartsDirectory = ".cache/charts" + + // CacheCredentialFile is the path to the credential file for the project, which is cached locally. + CacheCredentialFile = ".cache/credentials.json" //nolint:gosec // this is a test project and this directory is excluded from source ) const ( diff --git a/magefiles/helm/helm.mage.go b/magefiles/helm/helm.mage.go index b5f6fd0..84897d7 100644 --- a/magefiles/helm/helm.mage.go +++ b/magefiles/helm/helm.mage.go @@ -82,8 +82,8 @@ func (Helm) Init() error { } // 🚀 Install uses Helm to -// 🚀 Install installs or upgrades the helm charts for any charts listed in constants.HelmChartsList. -func (Helm) Install() { +// 🚀 Install installs/upgrades the helm charts for charts listed in constants.HelmChartsList. +func (Helm) Install() error { magetoolsutils.CheckPtermDebug() if os.Getenv("KUBECONFIG") != constants.Kubeconfig { pterm.Warning.Printfln("KUBECONFIG is not set to %s. Make sure direnv/env variables loading if you want to keep the project changes from changing your user KUBECONFIG.", constants.Kubeconfig) @@ -99,6 +99,9 @@ func (Helm) Install() { pterm.Debug.Println("debug flag enabled for helm") debugHelm = "--debug=true" // enable verbose output } + if _, err := os.Stat(constants.CacheCredentialFile); os.IsNotExist(err) { + return fmt.Errorf("credentials file: %s doesn't exist, so skipping", constants.CacheCredentialFile) + } if err := invokeHelm("upgrade", chart.ReleaseName, chart.ChartPath, @@ -112,6 +115,8 @@ func (Helm) Install() { "--force", // force resource updates through a replacement strategy "--wait-for-jobs", // will wait until all Jobs have been completed before marking the release as successful "--dependency-update", // update dependencies if they are missing before installing the chart + "--set-file", fmt.Sprintf("credentialsJson=%s", constants.CacheCredentialFile), + debugHelm, // NOTE: Can pass credentials/certs etc in. NOT ADDED YET - "--set-file", "sidecar.configFile=config.yaml", ); err != nil { @@ -120,6 +125,7 @@ func (Helm) Install() { pterm.Success.Printfln("successfully installed chart: %s", chart.ReleaseName) } } + return nil } // Uninstall uninstalls all the charts listed in constants.HelmChartsList. @@ -211,9 +217,9 @@ func Checkfile(file string) error { re = regexp.MustCompile(`repository:\s+[^\n]*`) match = re.Find(b) if match != nil { - pterm.Error.Printfln("❌ %s: not configured to use local image: %q", file, match) + pterm.Warning.Printfln("❌ %s: not configured to use local image: %q (this is fine if you are't building as a developer with changes)", file, match) } else { - pterm.Error.Printfln("❌ %s: not configured to use local image: repository not found", file) + pterm.Warning.Printfln("❌ %s: not configured to use local image: repository not found", file) } } @@ -225,9 +231,9 @@ func Checkfile(file string) error { re = regexp.MustCompile(`pullPolicy:\s+\w*`) match = re.Find(b) if match != nil { - pterm.Error.Printfln("❌ %s: not configured with pullPolicy: Never: %q", file, match) + pterm.Warning.Printfln("❌ %s: not configured with pullPolicy: Never: %q (this fine if you aren't building locally and just using docker image)", file, match) } else { - pterm.Error.Printfln("❌ %s: not configured with pullPolicy: Never: pullPolicy not found", file) + pterm.Warning.Printfln("❌ %s: not configured with pullPolicy: Never: pullPolicy not found", file) } } re = regexp.MustCompile(`tag:\s+[']?latest[']?`) @@ -238,9 +244,9 @@ func Checkfile(file string) error { re = regexp.MustCompile(`tag:\s+[']?.*[']?`) match = re.Find(b) if match != nil { - pterm.Error.Printfln("❌ %s: not configured with tag: latest %q", file, match) + pterm.Warning.Printfln("❌ %s: not configured with tag: latest (this is fine if using docker image in cloud) %q", file, match) } else { - pterm.Error.Printfln("❌ %s: not configured with tag: Never, tag not found", file) + pterm.Warning.Printfln("❌ %s: not configured with tag: Never, tag not found", file) } } return nil diff --git a/magefiles/jobs.mage.go b/magefiles/jobs.mage.go index 12c07f4..fbbae44 100644 --- a/magefiles/jobs.mage.go +++ b/magefiles/jobs.mage.go @@ -26,7 +26,7 @@ func (Job) Init() { ) } -// Redeploy removes kubernetes resources and helm charts and then you can issue a chained command for k8s:logs to opt to stream logs. +// Redeploy removes k8s resources, helm uninstall, and then runs k8s apply and helm install. func (Job) Redeploy() { pterm.DefaultSection.Println("(Job) Redeploy()") mg.SerialDeps( diff --git a/magefiles/k8s/k8s.mage.go b/magefiles/k8s/k8s.mage.go index 45ef668..11fcf2c 100644 --- a/magefiles/k8s/k8s.mage.go +++ b/magefiles/k8s/k8s.mage.go @@ -20,7 +20,7 @@ import ( // k8s contains commands for kubectl and other kubernetes related commands. type K8s mg.Namespace -// Init copies the k8 yaml manifest files from the examples directory to the cache directory for editing and linking in integration testing. +// Init copies the k8 yaml manifest files from the examples directory to the cache directory. func (K8s) Init() error { magetoolsutils.CheckPtermDebug() pterm.DefaultHeader.Println("(K8s) Init()") @@ -148,7 +148,6 @@ func (K8s) OutputSecret() { "--cluster", constants.KindContextName, "get", "secret", secretname, - //"-o", "jsonpath='{.data.password}'", "-o", `go-template={{.data.password}}`, "--ignore-not-found", ) diff --git a/magefiles/magefile.go b/magefiles/magefile.go index 6efb166..09d4a6b 100644 --- a/magefiles/magefile.go +++ b/magefiles/magefile.go @@ -17,6 +17,8 @@ import ( _ "github.com/DelineaXPM/dsv-k8s/v2/magefiles/kind" // mage:import _ "github.com/DelineaXPM/dsv-k8s/v2/magefiles/minikube" + // mage:import + _ "github.com/DelineaXPM/dsv-k8s/v2/magefiles/vault" "github.com/magefile/mage/mg" "github.com/magefile/mage/sh" "github.com/pterm/pterm" diff --git a/magefiles/minikube/minikube.mage.go b/magefiles/minikube/minikube.mage.go index 9fbf659..57b8491 100644 --- a/magefiles/minikube/minikube.mage.go +++ b/magefiles/minikube/minikube.mage.go @@ -147,7 +147,13 @@ func (Minikube) RemoveImages() { for { // Run the docker rmi command and capture the output - cmd := exec.Command("minikube", "image", "rm", "--profile", constants.KindClusterName, fmt.Sprintf("%s:latest", constants.DockerImageNameLocal)) + cmd := exec.Command( //nolint:gosec // this is a local command being built + "minikube", + "image", + "rm", + "--profile", constants.KindClusterName, + fmt.Sprintf("%s:latest", constants.DockerImageNameLocal), + ) out, err := cmd.CombinedOutput() output = string(out) if err != nil { @@ -163,7 +169,7 @@ func (Minikube) RemoveImages() { pterm.Info.Printf("Still waiting for image to unload (elapsed time: %s)\n", elapsed.Round(time.Second)) // Wait for 3 seconds before trying again - time.Sleep(3 * time.Second) + time.Sleep(3 * time.Second) //nolint:gomnd // no need to make a constant elapsed += 3 * time.Second } diff --git a/magefiles/vault/vault.mage.go b/magefiles/vault/vault.mage.go new file mode 100644 index 0000000..dcabfb1 --- /dev/null +++ b/magefiles/vault/vault.mage.go @@ -0,0 +1,221 @@ +package vault + +import ( + "encoding/json" + "fmt" + "os" + "path/filepath" + + "github.com/DelineaXPM/dsv-k8s/v2/magefiles/constants" + "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" + "github.com/pterm/pterm" + "github.com/sheldonhull/magetools/pkg/magetoolsutils" +) + +// DSV is the namespace for mage tasks related to DSV, such as client credential creation. +type DSV mg.Namespace + +var ( + dsvprofilename = os.Getenv("DSV_PROFILE_NAME") + rolename = "dsv-k8s-tests" + policyname = fmt.Sprintf("secrets:%s", secretpath) + policysubjects = fmt.Sprintf("roles:%s", rolename) + policyresources = fmt.Sprintf("secrets:%s:<.*>", secretpath) + secretpath = fmt.Sprintf("tests:%s", "dsv-k8s") + // secretpathclient = fmt.Sprintf("clients:%s", secretpath) + desc = "a secret for testing operation of with dsv-k8s" + clientcredfile = filepath.Join(constants.CacheDirectory, fmt.Sprintf("%s.json", rolename)) + clientcredname = rolename + secretkey = "food" // just simple test placeholder for now + testsecretkey = fmt.Sprintf("secrets:%s:%s", secretpath, secretkey) + //nolint:gosec // test value, so fine to leave hard coded + testsecretvalue = ` +{ + "taco":"burrito", + "username": "tacoeater", + "domain": "tacoeater.com" +} +` // placeholder for testing, not sensitive, and ok to leave for now +) + +// checkDSVProfileName checks if the DSV_PROFILE_NAME is set and returns an error if not. +func checkDSVProfileName() error { + if dsvprofilename == "" { + pterm.Error.Println( + "DSV_PROFILE_NAME is not set and this is required to ensure the correct dsv tenant for testing is used", + ) + return fmt.Errorf("DSV_PROFILE_NAME is required") + } + return nil +} + +// ➕ SetupDSV creates the policy, role, and client credentials. +func (DSV) SetupDSV() error { + magetoolsutils.CheckPtermDebug() + if err := checkDSVProfileName(); err != nil { + pterm.Error.Println("DSV_PROFILE_NAME is not set and this is required to automate the setup of the test credentials") + return fmt.Errorf("DSV_PROFILE_NAME is required: %w", err) + } + pterm.Warning.Println("WIP: initial creation to help with future testing setup, may need refinement") + logger := pterm.DefaultLogger.WithLevel(pterm.LogLevelInfo).WithCaller(true) + + // dsv role create + logger.Info("creating role", logger.Args("rolename", rolename)) + + if err := sh.RunV("dsv", "role", "create", "--name", rolename, "--profile", dsvprofilename); err != nil { + logger.Warn("unable to create role", logger.Args("rolename", rolename)) + } + logger.Info("created role", logger.Args("rolename", rolename)) + + // dsv policy create + if err := sh.RunV("dsv", "policy", "create", + "--path", policyname, + "--actions", "read,list", + "--effect", "allow", + "--subjects", policysubjects, + "--desc", fmt.Sprintf("scoped access for %s by %s", secretpath, rolename), + "--resources", policyresources, + "--profile", dsvprofilename, + ); err != nil { + logger.Warn("unable to create policy", logger.Args("policyname", rolename)) + } + logger.Info("created policy", logger.Args("policyname", rolename)) + + logger.Info("creating client credentials", logger.Args("clientcredname", clientcredname)) + err := sh.RunV( + "dsv", + "client", + "create", + "--role", rolename, + "--plain", + "--profile", dsvprofilename, + "--out", fmt.Sprintf("file:%s", clientcredfile), + ) + if err != nil { + logger.Warn("unable to create client credentials", logger.Args("clientcredname", clientcredname)) + } + logger.Info("created client credentials", logger.Args("clientcredname", clientcredname)) + + type ClientCredentials struct { + ClientID string `json:"clientId"` //nolint:tagliatelle // json tag required as is + Secret string `json:"clientSecret"` //nolint:tagliatelle // json tag required as is + } + + b, err := os.ReadFile(clientcredfile) + if err != nil { + logger.Error( + "unable to read client credentials file", + logger.Args("clientcredfile", clientcredfile, "error", err), + ) + return err + } + var clientcred ClientCredentials + err = json.Unmarshal(b, &clientcred) + if err != nil { + logger.Error( + "unable to unmarshal client credentials file", + logger.Args("clientcredfile", clientcredfile, "error", err), + ) + return err + } + + logger.Info("Put in .cache/charts/dsv-k8s/values.yaml", logger.Args( + "clientID", clientcred.ClientID, + "clientSecret", clientcred.Secret, + )) + + return nil +} + +// 🔐 CreateSecret creates a secret for usage with this specific client, policy, and role setup. +// This probably needs refactoring to allow input via pterm or via file. +// At time of creation (2023-04) it's a draft task to help with better test setup for developers wanting to test and have isolated +// permissions for just this specific secret path, role, client. It's all hard coded but can improve in the future. +func (DSV) CreateSecret() error { + magetoolsutils.CheckPtermDebug() + if err := checkDSVProfileName(); err != nil { + pterm.Error.Println("DSV_PROFILE_NAME is not set and this is required to automate the setup of the test credentials") + return fmt.Errorf("DSV_PROFILE_NAME is required: %w", err) + } + + logger := pterm.DefaultLogger.WithLevel(pterm.LogLevelInfo).WithCaller(true) + logger.Info("creating secret for DSV client") + secretkey := "food" + if err := sh.RunV( + "dsv", + "secret", + "create", + "--path", testsecretkey, + "--data", testsecretvalue, + "--desc", desc, + "--profile", dsvprofilename, + ); err != nil { + logger.Error("unable to create secret", logger.Args("secretkey", secretkey, "error", err)) + return err + } + logger.Info("created secret for DSV client", logger.Args("secretkey", secretkey)) + return nil +} + +// ConvertClientToCredentials reads the client credentials created in .cache and converts to the format the helm chart/injector expect. +func (DSV) ConvertClientToCredentials() error { + if os.Getenv("DSV_TENANT_NAME") == "" { + return fmt.Errorf("DSV_TENANT_NAME is required, make sure you've set in .env and run `direnv allow`") + } + // Read the input JSON file + input, err := os.ReadFile(clientcredfile) + if err != nil { + return err + } + + // Unmarshal the input JSON into a struct + var data struct { + ClientID string `json:"clientId"` //nolint:tagliatelle // json tag required as is + ClientSecret string `json:"clientSecret"` //nolint:tagliatelle // json tag required as is + } + if err := json.Unmarshal(input, &data); err != nil { + return err + } + + // Create the output JSON struct + output := struct { + Default struct { + Credentials struct { + ClientID string `json:"clientId"` //nolint:tagliatelle // json tag required as is + ClientSecret string `json:"clientSecret"` //nolint:tagliatelle // json tag required as is + } `json:"credentials"` + Tenant string `json:"tenant"` + } `json:"default"` + }{ + Default: struct { + Credentials struct { + ClientID string `json:"clientId"` + ClientSecret string `json:"clientSecret"` + } `json:"credentials"` + Tenant string `json:"tenant"` + }{ + Credentials: struct { + ClientID string `json:"clientId"` + ClientSecret string `json:"clientSecret"` + }{ + ClientID: data.ClientID, + ClientSecret: data.ClientSecret, + }, + Tenant: os.Getenv("DSV_TENANT_NAME"), + }, + } + + // Marshal the output JSON + outputJSON, err := json.MarshalIndent(output, "", " ") + if err != nil { + return err + } + + // Write the output JSON to a file + if err := os.WriteFile(constants.CacheCredentialFile, outputJSON, constants.PermissionUserReadWriteExecute); err != nil { + return err + } + + return nil +} diff --git a/pkg/patch/patch_test.go b/pkg/patch/patch_test.go index f1d8b0a..5057f57 100644 --- a/pkg/patch/patch_test.go +++ b/pkg/patch/patch_test.go @@ -1,8 +1,8 @@ // Patch test file runs integration tests against a secret, based on reaching out to DSV. // -// - Create a secret with the following command to test against: `dsv secret create --path 'k8s:sync:test' --data '{"password": "","username": ""}'` -// - Hard delete to reset test: `dsv secret delete --path 'k8s:sync:test' --force` -// - Rollback to a prior version: `dsv secret rollback --path 'k8s:sync:test' --version 0`. +// - Create a secret with the following command to test against: `dsv secret create --path 'tests:dsv-k8s' --data '{"password": "","username": ""}'` +// - Hard delete to reset test: `dsv secret delete --path 'tests:dsv-k8s' --force` +// - Rollback to a prior version: `dsv secret rollback --path 'tests:dsv-k8s' --version 0`. package patch import ( From e9fbd95d27b66fbfdb5b773cec8e9799dffdae61 Mon Sep 17 00:00:00 2001 From: Sheldon Hull Date: Thu, 31 Aug 2023 01:29:09 +0000 Subject: [PATCH 3/7] refactor: remove deprecated ioutil, improve error wrapping --- pkg/config/credentials.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/config/credentials.go b/pkg/config/credentials.go index 2efe44f..29f1deb 100644 --- a/pkg/config/credentials.go +++ b/pkg/config/credentials.go @@ -17,7 +17,7 @@ type Credentials map[string]struct { // GetCredentials opens the credentialsFile and calls GetCredentialsFromFile on the resulting file func GetCredentials(credentialsFilePath string) (*Credentials, error) { if credentialsFile, err := os.Open(credentialsFilePath); err != nil { - return nil, fmt.Errorf("unable to open configuration file '%s': %s", credentialsFilePath, err) + return nil, fmt.Errorf("unable to open configuration file '%s': %w", credentialsFilePath, err) } else { defer credentialsFile.Close() return GetCredentialsFromFile(credentialsFile) @@ -26,18 +26,18 @@ func GetCredentials(credentialsFilePath string) (*Credentials, error) { // GetCredentialsFromFile parses the credentialsFile and returns the resulting Credentials object func GetCredentialsFromFile(credentialsFile *os.File) (*Credentials, error) { - if contents, err := ioutil.ReadAll(credentialsFile); err != nil { - return nil, fmt.Errorf("unable to read configuration file '%s': %s", credentialsFile.Name(), err) + if contents, err := os.ReadAll(credentialsFile); err != nil { + return nil, fmt.Errorf("unable to read configuration file '%s': %w", credentialsFile.Name(), err) } else { return MakeCredentials(contents) } } -func MakeCredentials(credentialJson []byte) (*Credentials, error) { +func MakeCredentials(credentialJSON []byte) (*Credentials, error) { credentials := new(Credentials) - if err := json.Unmarshal(credentialJson, credentials); err != nil { - return nil, fmt.Errorf("unable to unmarhal configuration: %s", err) + if err := json.Unmarshal(credentialJSON, credentials); err != nil { + return nil, fmt.Errorf("unable to unmarshal configuration: %w", err) } else { return credentials, nil } From 683685dec5658a9cca3c24a66aff9b873ef429cc Mon Sep 17 00:00:00 2001 From: Sheldon Hull Date: Thu, 31 Aug 2023 01:31:45 +0000 Subject: [PATCH 4/7] refactor: fix reference --- pkg/config/credentials.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/config/credentials.go b/pkg/config/credentials.go index 29f1deb..638df4d 100644 --- a/pkg/config/credentials.go +++ b/pkg/config/credentials.go @@ -3,7 +3,7 @@ package config import ( "encoding/json" "fmt" - "io/ioutil" + "io" "os" "github.com/DelineaXPM/dsv-sdk-go/v2/vault" @@ -26,7 +26,7 @@ func GetCredentials(credentialsFilePath string) (*Credentials, error) { // GetCredentialsFromFile parses the credentialsFile and returns the resulting Credentials object func GetCredentialsFromFile(credentialsFile *os.File) (*Credentials, error) { - if contents, err := os.ReadAll(credentialsFile); err != nil { + if contents, err := io.ReadAll(credentialsFile); err != nil { return nil, fmt.Errorf("unable to read configuration file '%s': %w", credentialsFile.Name(), err) } else { return MakeCredentials(contents) From fbc112d843fcb9e8072d32f310166fc6c3332679 Mon Sep 17 00:00:00 2001 From: Sheldon Hull Date: Sat, 2 Sep 2023 00:19:29 +0000 Subject: [PATCH 5/7] wip --- .aqua/aqua.yaml | 2 +- ...237\224\250 Refactor-20230902-001843.yaml" | 3 + ...7\244\226 CI & Build-20230902-001908.yaml" | 4 ++ docs/configure.md | 8 +++ docs/troubleshooting.md | 17 ++++++ magefiles/vault/vault.mage.go | 61 ++++++++++++++++--- 6 files changed, 85 insertions(+), 10 deletions(-) create mode 100644 ".changes/unreleased/\360\237\224\250 Refactor-20230902-001843.yaml" create mode 100644 ".changes/unreleased/\360\237\244\226 CI & Build-20230902-001908.yaml" diff --git a/.aqua/aqua.yaml b/.aqua/aqua.yaml index 301df23..eba652e 100644 --- a/.aqua/aqua.yaml +++ b/.aqua/aqua.yaml @@ -32,7 +32,6 @@ packages: - name: kubernetes/kubectl version: v1.25.2 - name: helm/helm@v3.11.1 - - name: DelineaXPM/dsv-cli@v1.40.1 - name: kubernetes/minikube@v1.31.2 tags: ['ci'] - name: stern/stern@v1.23.0 @@ -43,3 +42,4 @@ packages: version: v1.4.2 registry: local tags: ['goinstall'] + - name: DelineaXPM/dsv-cli@v1.40.5 diff --git "a/.changes/unreleased/\360\237\224\250 Refactor-20230902-001843.yaml" "b/.changes/unreleased/\360\237\224\250 Refactor-20230902-001843.yaml" new file mode 100644 index 0000000..749e90e --- /dev/null +++ "b/.changes/unreleased/\360\237\224\250 Refactor-20230902-001843.yaml" @@ -0,0 +1,3 @@ +kind: "\U0001F528 Refactor" +body: Improve logging with error wrapping and remove deprecated Go `ioutil` usage. +time: 2023-09-02T00:18:43.498923266Z diff --git "a/.changes/unreleased/\360\237\244\226 CI & Build-20230902-001908.yaml" "b/.changes/unreleased/\360\237\244\226 CI & Build-20230902-001908.yaml" new file mode 100644 index 0000000..74530f2 --- /dev/null +++ "b/.changes/unreleased/\360\237\244\226 CI & Build-20230902-001908.yaml" @@ -0,0 +1,4 @@ +kind: "\U0001F916 CI & Build" +body: | + Improve mage tasks with secret setup and tear down for better development support and troubleshooting. +time: 2023-09-02T00:19:08.498047478Z diff --git a/docs/configure.md b/docs/configure.md index 7ad533e..d202dc2 100644 --- a/docs/configure.md +++ b/docs/configure.md @@ -10,6 +10,14 @@ This requires you to have already run `dsv init` in the project and runs against You should ensure `direnv allow` has been run and the `.env` file is loaded. Your `zsh` terminal should warn you if you didn't create the `.env` file. +The order: + +- `mage dsv:setupdsv` +- `mage dsv:createsecret` +- `mage dsv:convertClientToCredentials` + +To tear down and recreate with new secret, just run `mage dsv:destroy` + ## Manually Creating (Prior Method Before Automation) ### JSON Credentials for Helm Install diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index d529d9f..1ad4d73 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -1,5 +1,22 @@ # Troubleshooting +## Supporting Alternative TLD + +If you are using an alternative TLD, such as `https://{mytenant}.secretsvaultcloud.eu`, try adding the tld to the credentials file. + +```json +{ + "default": { + "credentials": { + "clientId": "", + "clientSecret": "" + }, + "tenant": "mytenant", + "tld": "eu" + } +} +``` + ## Obtaining Logs For both customers and development, stern allows easier debugging by providing a stream of the logs for both syncer & injector in one workflow. diff --git a/magefiles/vault/vault.mage.go b/magefiles/vault/vault.mage.go index dcabfb1..9bdecd8 100644 --- a/magefiles/vault/vault.mage.go +++ b/magefiles/vault/vault.mage.go @@ -14,15 +14,22 @@ import ( ) // DSV is the namespace for mage tasks related to DSV, such as client credential creation. -type DSV mg.Namespace +type ( + DSV mg.Namespace + ClientCredentials struct { + ClientID string `json:"clientId"` //nolint:tagliatelle // json tag required as is + Secret string `json:"clientSecret"` //nolint:tagliatelle // json tag required as is + } +) var ( dsvprofilename = os.Getenv("DSV_PROFILE_NAME") rolename = "dsv-k8s-tests" + secretpath = fmt.Sprintf("tests:%s", "dsv-k8s") policyname = fmt.Sprintf("secrets:%s", secretpath) policysubjects = fmt.Sprintf("roles:%s", rolename) policyresources = fmt.Sprintf("secrets:%s:<.*>", secretpath) - secretpath = fmt.Sprintf("tests:%s", "dsv-k8s") + // secretpathclient = fmt.Sprintf("clients:%s", secretpath) desc = "a secret for testing operation of with dsv-k8s" clientcredfile = filepath.Join(constants.CacheDirectory, fmt.Sprintf("%s.json", rolename)) @@ -57,9 +64,11 @@ func (DSV) SetupDSV() error { pterm.Error.Println("DSV_PROFILE_NAME is not set and this is required to automate the setup of the test credentials") return fmt.Errorf("DSV_PROFILE_NAME is required: %w", err) } - pterm.Warning.Println("WIP: initial creation to help with future testing setup, may need refinement") logger := pterm.DefaultLogger.WithLevel(pterm.LogLevelInfo).WithCaller(true) - + if _, err := os.Stat(clientcredfile); err == nil { + logger.Error("client credentials already exist, please run `mage vault:destroy` to remove and try again") + return fmt.Errorf("tear down existing test credentials before recreate to avoid conflicts") + } // dsv role create logger.Info("creating role", logger.Args("rolename", rolename)) @@ -97,11 +106,6 @@ func (DSV) SetupDSV() error { } logger.Info("created client credentials", logger.Args("clientcredname", clientcredname)) - type ClientCredentials struct { - ClientID string `json:"clientId"` //nolint:tagliatelle // json tag required as is - Secret string `json:"clientSecret"` //nolint:tagliatelle // json tag required as is - } - b, err := os.ReadFile(clientcredfile) if err != nil { logger.Error( @@ -219,3 +223,42 @@ func (DSV) ConvertClientToCredentials() error { return nil } + +// 🗑️ Destroy tears down the test credentials hard setup by this automation only +func (DSV) Destroy() { + // if .cache/credentials.json exists, then read and get the clientid. use this as input for the client delete + var clientcredid string + if _, err := os.Stat(clientcredfile); err == nil { + // file exists + b, err := os.ReadFile(clientcredfile) + if err != nil { + pterm.Warning.Println("unable to read client credentials file, this may be expected if already deleted") + } + var clientcred ClientCredentials + err = json.Unmarshal(b, &clientcred) + if err != nil { + pterm.Warning.Println("unable to unmarshal client credentials file, this may be expected if already deleted") + } + clientcredid = clientcred.ClientID + // run dsv client delete against the test credentials, warn only on error + if err := sh.RunV("dsv", "client", "delete", "--client-id", clientcredid, "--profile", dsvprofilename, "--force"); err != nil { + pterm.Warning.Println("unable to delete client credentials, this may be expected if already deleted") + } + } + + // run dsv policy delete against the test role, warn only on error + if err := sh.RunV("dsv", "policy", "delete", "--path", policyname, "--profile", dsvprofilename, "--force"); err != nil { + pterm.Warning.Println("unable to delete policy, this may be expected if already deleted") + } + // run dsv role delete against the test role, warn only on error + if err := sh.RunV("dsv", "role", "delete", "--name", rolename, "--profile", dsvprofilename, "--force"); err != nil { + pterm.Warning.Println("unable to delete role, this may be expected if already deleted") + } + + // remove the test secret with force, and warn only on error + if err := sh.RunV("dsv", "secret", "delete", "--path", testsecretkey, "--profile", dsvprofilename, "--force"); err != nil { + pterm.Warning.Println("unable to delete secret, this may be expected if already deleted") + } + + _ = sh.Rm(clientcredfile) +} From f4ce3c6f2b429025f319b39a0df362650ea11d68 Mon Sep 17 00:00:00 2001 From: Sheldon Hull Date: Tue, 5 Sep 2023 21:17:20 +0000 Subject: [PATCH 6/7] fix: the secret is now found --- .aqua/aqua.yaml | 3 ++- .trunk/.gitignore | 2 +- .trunk/trunk.yaml | 22 ++++++++++++------- Tiltfile | 4 ++-- .../dsv-syncer/templates/syncer-cronjob.yaml | 2 +- docs/setup-developer.md | 5 +++++ examples/add-to-secret.yml | 3 ++- examples/set-secret.yml | 3 ++- examples/update-secret.yml | 3 ++- magefiles/vault/vault.mage.go | 8 +++---- 10 files changed, 35 insertions(+), 20 deletions(-) diff --git a/.aqua/aqua.yaml b/.aqua/aqua.yaml index eba652e..b78dae8 100644 --- a/.aqua/aqua.yaml +++ b/.aqua/aqua.yaml @@ -6,7 +6,7 @@ checksum: require_checksum: false registries: - type: standard - ref: v4.39.0 # renovate: depName=aquaproj/aqua-registry + ref: v4.44.1 # renovate: depName=aquaproj/aqua-registry - name: local type: local path: registry.yaml @@ -43,3 +43,4 @@ packages: registry: local tags: ['goinstall'] - name: DelineaXPM/dsv-cli@v1.40.5 + - name: gitleaks/gitleaks@v8.18.0 diff --git a/.trunk/.gitignore b/.trunk/.gitignore index 695b519..1e24652 100644 --- a/.trunk/.gitignore +++ b/.trunk/.gitignore @@ -2,7 +2,7 @@ *logs *actions *notifications +*tools plugins user_trunk.yaml user.yaml -tools diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index ee143bd..482e5b7 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -2,7 +2,7 @@ version: 0.1 plugins: sources: - id: trunk - ref: v1.0.0 + ref: v1.2.1 uri: https://github.com/trunk-io/plugins actions: enabled: @@ -30,7 +30,7 @@ actions: - id: helm-lint # runtime: go description: run helm lint on pre-push - run: 'helm lint --quiet --strict charts/*' + run: 'helm lint --quiet charts/*' triggers: - git_hooks: [pre-push] runtimes: @@ -39,7 +39,7 @@ runtimes: - node@18.12.1 - python@3.10.8 cli: - version: 1.13.0 + version: 1.15.0 lint: threshold: - linters: [gitleaks] @@ -48,16 +48,22 @@ lint: - cspell - gofmt enabled: + - checkov@2.4.9 + - gokart@0.5.1 + - osv-scanner@1.3.6 + - terrascan@1.18.3 + - trivy@0.44.1 + - trufflehog@3.54.3 - gofumpt@0.5.0 - - renovate@36.49.0 + - renovate@36.81.0 - golangci-lint@SYSTEM - git-diff-check - taplo@0.8.1 - - markdownlint@0.35.0 - - prettier@3.0.2 + - markdownlint@0.36.0 + - prettier@3.0.3 - actionlint@1.6.25 - hadolint@2.12.0 - - gitleaks@8.17.0 + - gitleaks@8.18.0 - shellcheck@0.9.0 - shfmt@3.6.0 - yamllint@1.32.0 @@ -69,7 +75,7 @@ lint: - actionlint@1.6.25 - gitleaks@8.15.3 - hadolint@2.12.0 - - markdownlint@0.35.0 + - markdownlint@0.36.0 - shellcheck@0.9.0 - shfmt@3.6.0 diff --git a/Tiltfile b/Tiltfile index 6fe969b..0fba16e 100644 --- a/Tiltfile +++ b/Tiltfile @@ -175,7 +175,7 @@ local_resource( deps=['.cache/'], resource_deps=[ "job:init", - "job:rebuildimages" + # "job:rebuildimages" ], auto_init=False, labels=["deploy"], @@ -217,4 +217,4 @@ local_resource( labels=["setup"], ) -# k8s_resource('injector', resource_deps='minikube:init', pod_readiness='ignore') \ No newline at end of file +# k8s_resource('injector', resource_deps='minikube:init', pod_readiness='ignore') diff --git a/charts/dsv-syncer/templates/syncer-cronjob.yaml b/charts/dsv-syncer/templates/syncer-cronjob.yaml index c1816ec..882183e 100644 --- a/charts/dsv-syncer/templates/syncer-cronjob.yaml +++ b/charts/dsv-syncer/templates/syncer-cronjob.yaml @@ -43,4 +43,4 @@ spec: volumes: - name: credentials secret: - secretName: {{ .Values.dsvInjectorCredentialsSecretName }} \ No newline at end of file + secretName: {{ .Values.dsvInjectorCredentialsSecretName }} diff --git a/docs/setup-developer.md b/docs/setup-developer.md index 67d51ce..98d4f5f 100644 --- a/docs/setup-developer.md +++ b/docs/setup-developer.md @@ -15,6 +15,11 @@ As always, the source of truth is `mage` so if the task names in the doc don't work, check the CLI for the proper commands. +## Optional + +If you are using codespaces, most of the tooling should be ready out of the box as long as you open `zsh` terminal. +Run `tilt up` and then you can invoke much of this (including watch the logs stream) from the terminal. + ## Reference - Optional: [devcontainer/codespaces](devcontainer.md) diff --git a/examples/add-to-secret.yml b/examples/add-to-secret.yml index 03ae51e..314939f 100644 --- a/examples/add-to-secret.yml +++ b/examples/add-to-secret.yml @@ -1,10 +1,11 @@ +# trunk-ignore-all(trivy,checkov,gitleaks): ignore, examples file with hard coded values --- apiVersion: v1 kind: Secret metadata: name: user-domain annotations: - dsv.delinea.com/add-to-secret: 'tests:dsv-k8s' + dsv.delinea.com/add-to-secret: 'tests:dsv-k8s:food' type: Opaque data: username: dW5tb2RpZmllZC11c2VybmFtZQ== diff --git a/examples/set-secret.yml b/examples/set-secret.yml index ba73fd4..a6fbd6a 100644 --- a/examples/set-secret.yml +++ b/examples/set-secret.yml @@ -1,3 +1,4 @@ +# trunk-ignore-all(trivy,checkov,gitleaks): ignore, examples file with hard coded values --- apiVersion: v1 kind: Secret @@ -5,7 +6,7 @@ metadata: name: user-domain-pass annotations: # dsv.delinea.com/credentials: app1 # or default if not using multiple credentials - dsv.delinea.com/set-secret: 'tests:dsv-k8s' + dsv.delinea.com/set-secret: 'tests:dsv-k8s:food' type: Opaque data: username: dW5tb2RpZmllZC11c2VybmFtZQ== diff --git a/examples/update-secret.yml b/examples/update-secret.yml index 1a8f3c0..9bbb555 100644 --- a/examples/update-secret.yml +++ b/examples/update-secret.yml @@ -1,10 +1,11 @@ +# trunk-ignore-all(trivy,checkov,gitleaks): ignore, examples file with hard coded values --- apiVersion: v1 kind: Secret metadata: name: pass-domain annotations: - dsv.delinea.com/update-secret: 'tests:dsv-k8s' + dsv.delinea.com/update-secret: 'tests:dsv-k8s:food' type: Opaque data: password: dW5tb2RpZmllZC1wYXNzd29yZA== diff --git a/magefiles/vault/vault.mage.go b/magefiles/vault/vault.mage.go index 9bdecd8..a00bfa5 100644 --- a/magefiles/vault/vault.mage.go +++ b/magefiles/vault/vault.mage.go @@ -194,14 +194,14 @@ func (DSV) ConvertClientToCredentials() error { }{ Default: struct { Credentials struct { - ClientID string `json:"clientId"` - ClientSecret string `json:"clientSecret"` + ClientID string `json:"clientId"` //nolint:tagliatelle // json tag required as is + ClientSecret string `json:"clientSecret"` //nolint:tagliatelle // json tag required as is } `json:"credentials"` Tenant string `json:"tenant"` }{ Credentials: struct { - ClientID string `json:"clientId"` - ClientSecret string `json:"clientSecret"` + ClientID string `json:"clientId"` //nolint:tagliatelle // json tag required as is + ClientSecret string `json:"clientSecret"` //nolint:tagliatelle // json tag required as is }{ ClientID: data.ClientID, ClientSecret: data.ClientSecret, From ee8817320d9a4cefc4252d88f20987a62fca1ca6 Mon Sep 17 00:00:00 2001 From: Sheldon Hull Date: Tue, 5 Sep 2023 22:08:12 +0000 Subject: [PATCH 7/7] docs: make the docs rain --- .aqua/aqua.yaml | 2 +- ...270\217 Dependencies-20230817-161010.yaml" | 3 --- ...237\224\250 Refactor-20230902-001843.yaml" | 3 --- ...7\244\226 CI & Build-20230902-001908.yaml" | 4 ---- .changes/v1.2.1.md | 22 +++++++++++++++++++ .github/workflows/lint.yml | 8 +++---- .github/workflows/release.yml | 4 +++- CHANGELOG.md | 16 ++++++++++++++ charts/dsv-injector/Chart.yaml | 4 ++-- charts/dsv-injector/values.yaml | 2 +- charts/dsv-syncer/Chart.yaml | 4 ++-- charts/dsv-syncer/values.yaml | 2 +- 12 files changed, 52 insertions(+), 22 deletions(-) delete mode 100644 ".changes/unreleased/\342\254\206\357\270\217 Dependencies-20230817-161010.yaml" delete mode 100644 ".changes/unreleased/\360\237\224\250 Refactor-20230902-001843.yaml" delete mode 100644 ".changes/unreleased/\360\237\244\226 CI & Build-20230902-001908.yaml" create mode 100644 .changes/v1.2.1.md diff --git a/.aqua/aqua.yaml b/.aqua/aqua.yaml index b78dae8..5d76858 100644 --- a/.aqua/aqua.yaml +++ b/.aqua/aqua.yaml @@ -13,7 +13,7 @@ registries: packages: - name: miniscruff/changie@v1.12.0 tags: ['release'] - - name: golang/go@go1.20.3 + - name: golang/go@go1.21.0 tags: ['first', 'release', 'test', 'scan', 'lint'] - name: direnv/direnv@v2.32.2 - name: magefile/mage@v1.14.0 diff --git "a/.changes/unreleased/\342\254\206\357\270\217 Dependencies-20230817-161010.yaml" "b/.changes/unreleased/\342\254\206\357\270\217 Dependencies-20230817-161010.yaml" deleted file mode 100644 index a281b66..0000000 --- "a/.changes/unreleased/\342\254\206\357\270\217 Dependencies-20230817-161010.yaml" +++ /dev/null @@ -1,3 +0,0 @@ -kind: ⬆️ Dependencies -body: Bump changie installation, goreleaser. -time: 2023-08-17T16:10:10.261254759Z diff --git "a/.changes/unreleased/\360\237\224\250 Refactor-20230902-001843.yaml" "b/.changes/unreleased/\360\237\224\250 Refactor-20230902-001843.yaml" deleted file mode 100644 index 749e90e..0000000 --- "a/.changes/unreleased/\360\237\224\250 Refactor-20230902-001843.yaml" +++ /dev/null @@ -1,3 +0,0 @@ -kind: "\U0001F528 Refactor" -body: Improve logging with error wrapping and remove deprecated Go `ioutil` usage. -time: 2023-09-02T00:18:43.498923266Z diff --git "a/.changes/unreleased/\360\237\244\226 CI & Build-20230902-001908.yaml" "b/.changes/unreleased/\360\237\244\226 CI & Build-20230902-001908.yaml" deleted file mode 100644 index 74530f2..0000000 --- "a/.changes/unreleased/\360\237\244\226 CI & Build-20230902-001908.yaml" +++ /dev/null @@ -1,4 +0,0 @@ -kind: "\U0001F916 CI & Build" -body: | - Improve mage tasks with secret setup and tear down for better development support and troubleshooting. -time: 2023-09-02T00:19:08.498047478Z diff --git a/.changes/v1.2.1.md b/.changes/v1.2.1.md new file mode 100644 index 0000000..ca82374 --- /dev/null +++ b/.changes/v1.2.1.md @@ -0,0 +1,22 @@ +## v1.2.1 - 2023-09-05 + +### 📘 Documentation + +- Include detail on providing `tld` in the configuration, allowing `eu` and other TLDs to be used. +- Mention `tilt up` in the initial setup config as viable option. + +### 🤖 CI & Build + +- Improve mage tasks with secret setup and tear down for better development support and troubleshooting. +- Bump go version in release pipeline to use `1.21` as can include standard library security improvements. +- Remove failing error condition on `mage job:rebuild` to better allow default setup without running local builds, such as just using the published docker image. + This supports easier demo/test usage by support. + +### 🔨 Refactor + +- Improve logging with error wrapping and remove deprecated Go `ioutil` usage. + +### ⬆️ Dependencies + +- Bump tooling such as changie, release, trunk, more security scanners. +- Other dependency bumps such as `golang.org/x/net`. diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index f40fd48..c1166b9 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,10 +2,10 @@ name: lint on: # Run CI against all pushes (direct commits, also merged PRs), Pull Requests - push: - branches: - - main - - stable-* + # push: + # branches: + # - main + # - stable-* pull_request: # Run CI once per day (at 06:00 UTC) # This ensures that even if there haven't been commits that we are still testing against latest version of ansible-test for each ansible-base version diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ba4e46c..91cbb18 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,7 +20,9 @@ jobs: - name: Setup Golang with cache uses: magnetikonline/action-golang-cache@797f193169d3c8ba6f60d90f50ecdadd2583fbd8 # tag=v3 with: - go-version-file: go.mod + go-version: ~1.21 + # with: + # go-version-file: go.mod - uses: aquaproj/aqua-installer@61e2563dfe7674cbf74fe6ec212e444198a3bb00 # tag=v2.0.2 with: diff --git a/CHANGELOG.md b/CHANGELOG.md index 22aa2ba..8383c20 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,22 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html), and is generated by [Changie](https://github.com/miniscruff/changie). +## v1.2.1 - 2023-09-05 + +### 🤖 CI & Build + +- Improve mage tasks with secret setup and tear down for better development support and troubleshooting. + +- Bump go version in release pipeline to use `1.21` as can include standard library security improvements. + +### 🔨 Refactor + +- Improve logging with error wrapping and remove deprecated Go `ioutil` usage. + +### ⬆️ Dependencies + +- Bump changie installation, goreleaser. + ## v1.2.0 - 2023-04-27 ### 🤖 CI & Build diff --git a/charts/dsv-injector/Chart.yaml b/charts/dsv-injector/Chart.yaml index 0461cf8..813e009 100644 --- a/charts/dsv-injector/Chart.yaml +++ b/charts/dsv-injector/Chart.yaml @@ -8,7 +8,7 @@ description: | NAMESPACE='dsv' CREDENTIALS_JSON_FILE='.cache/credentials.json' # replace with your credentials file IMAGE_REPOSITORY='docker.io/delineaxpm/dsv-k8s' - IMAGE_TAG='v1.2.0' # use latest for test, but pin to a specific version for production + IMAGE_TAG='v1.2.1' # use latest for test, but pin to a specific version for production helm install \ --namespace $NAMESPACE \ @@ -29,7 +29,7 @@ keywords: - secrets - vault type: application -version: v1.2.0 +version: v1.2.1 appVersion: latest maintainers: - name: Sheldon Hull diff --git a/charts/dsv-injector/values.yaml b/charts/dsv-injector/values.yaml index 893ced9..2e28361 100644 --- a/charts/dsv-injector/values.yaml +++ b/charts/dsv-injector/values.yaml @@ -29,7 +29,7 @@ image: # -- Overrides the image tag whose default is the chart appVersion. # Local Testing: Use `latest`. # @default -- the current app version/chart version - tag: v1.2.0 + tag: v1.2.1 # -- Entrypoint is the path to the binary. Since the container image could contain multiple binaries, this makes sure it's correctly mapped to the binary. entrypoint: /app/dsv-injector diff --git a/charts/dsv-syncer/Chart.yaml b/charts/dsv-syncer/Chart.yaml index d96d575..9d3a38e 100644 --- a/charts/dsv-syncer/Chart.yaml +++ b/charts/dsv-syncer/Chart.yaml @@ -7,7 +7,7 @@ description: | ```shell NAMESPACE='dsv' IMAGE_REPOSITORY='docker.io/delineaxpm/dsv-k8s' - IMAGE_TAG='v1.2.0' # use latest for test, but pin to a specific version for production + IMAGE_TAG='v1.2.1' # use latest for test, but pin to a specific version for production helm install \ --namespace $NAMESPACE \ @@ -26,7 +26,7 @@ keywords: - secrets - vault type: application -version: v1.2.0 +version: v1.2.1 appVersion: latest maintainers: - name: Sheldon Hull diff --git a/charts/dsv-syncer/values.yaml b/charts/dsv-syncer/values.yaml index 6ab7db4..300e9c1 100644 --- a/charts/dsv-syncer/values.yaml +++ b/charts/dsv-syncer/values.yaml @@ -18,7 +18,7 @@ image: # -- Overrides the image tag whose default is the chart appVersion. # Local Testing: Use `latest`. # @default -- the current app version/chart version - tag: v1.2.0 + tag: v1.2.1 # -- Entrypoint is the path to the binary. Since the container image could contain multiple binaries, this makes sure it's correctly mapped to the binary. entrypoint: /app/dsv-syncer