Merge pull request #14 from bryopsida/6-allow-upgrading-when-using-ce…

…rtmanager Allow upgrading when using certmanager
bryopsida · Jul 2, 2023 · f9a425e · f9a425e
2 parents 76b1ab8 + 819c5a6
commit f9a425e
Show file tree

Hide file tree

Showing 40 changed files with 1,245 additions and 711 deletions.
diff --git a/.eslintrc.js b/.eslintrc.js
@@ -3,18 +3,13 @@ module.exports = {
     browser: false,
     es2022: true
   },
-  extends: [
-    'standard'
-  ],
+  extends: ["standard", "prettier"],
   ignorePatterns: [],
-  parser: '@typescript-eslint/parser',
+  parser: "@typescript-eslint/parser",
   parserOptions: {
     ecmaVersion: 12,
-    sourceType: 'module'
+    sourceType: "module"
   },
-  plugins: [
-    '@typescript-eslint'
-  ],
-  rules: {
-  }
+  plugins: ["@typescript-eslint"],
+  rules: {}
 }
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
 jobs:
   build:
     timeout-minutes: 10
@@ -15,47 +15,47 @@ jobs:
         node-version: [16.x, 18.x, 20.x]
 
     steps:
-    - uses: actions/checkout@v3
-    - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v3
-      with:
-        node-version: ${{ matrix.node-version }}
-        cache: 'npm'
-    - run: npm ci
-    - run: npm run build --if-present
-    - run: npm run lint --if-present
-    - run: npm test
-    - uses: actions/upload-artifact@v3
-      if: ${{ matrix.node-version == '16.x' }}
-      with:
-        name: coverage
-        path: |
-          coverage
+      - uses: actions/checkout@v3
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: "npm"
+      - run: npm ci
+      - run: npm run build --if-present
+      - run: npm run lint --if-present
+      - run: npm test
+      - uses: actions/upload-artifact@v3
+        if: ${{ matrix.node-version == '16.x' }}
+        with:
+          name: coverage
+          path: |
+            coverage
   sonar:
     runs-on: ubuntu-latest
     needs:
-    - build
+      - build
     steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-    - uses: actions/download-artifact@v3
-      with:
-        name: coverage
-        path: coverage
-    - name: SonarCloud Scan
-      uses: SonarSource/sonarcloud-github-action@master
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
-        SONAR_TOKEN: ${{ secrets.SONARQUBE_KEY }}
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: actions/download-artifact@v3
+        with:
+          name: coverage
+          path: coverage
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONARQUBE_KEY }}
   build-image:
     timeout-minutes: 10
     runs-on: ubuntu-latest
     needs:
-     - build
+      - build
     env:
-      REGISTRY: 'ghcr.io'
-      IMAGE_NAME: 'bryopsida/psa-restricted-patcher'
+      REGISTRY: "ghcr.io"
+      IMAGE_NAME: "bryopsida/psa-restricted-patcher"
     permissions:
       contents: read
       packages: write
@@ -67,7 +67,7 @@ jobs:
       - name: Install cosign
         uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06
         with:
-          cosign-release: 'v1.13.1'
+          cosign-release: "v1.13.1"
       # for multi arch container builds
       - name: Set up QEMU
         uses: docker/setup-qemu-action@master
@@ -124,18 +124,18 @@ jobs:
       matrix:
         k8s-version: [1.22.13, 1.23.10, 1.24.4, 1.25.0, 1.26.0, 1.27.0]
     needs:
-     - build-image
+      - build-image
     env:
-      REGISTRY: 'ghcr.io'
-      IMAGE_NAME: 'bryopsida/psa-restricted-patcher'
+      REGISTRY: "ghcr.io"
+      IMAGE_NAME: "bryopsida/psa-restricted-patcher"
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
       - name: Use Node.js 18
         uses: actions/setup-node@v3
         with:
           node-version: 18
-          cache: 'npm'
+          cache: "npm"
       - name: Install Dependencies
         run: npm ci
       - name: Start Minikube
@@ -161,7 +161,7 @@ jobs:
           mkdir -p /tmp/failure-logs
           minikube logs > /tmp/failure-logs/minikube.log
           kubectl logs deployments/psa-restricted-patcher --prefix=true --ignore-errors=true --timestamps --pod-running-timeout=60s > /tmp/failure-logs/psa-restricted-patcher.deployment.log
-          kubectl describe deployment kpsa-restricted-patcher > /tmp/failure-logs/psa-restricted-patcher.deployment.describe
+          kubectl describe deployment psa-restricted-patcher > /tmp/failure-logs/psa-restricted-patcher.deployment.describe
           kubectl get deployment psa-restricted-patcher -o yaml > /tmp/failure-logs/psa-restricted-patcher.deployment.yaml
           kubectl describe configmap psa-restricted-patcher > /tmp/failure-logs/psa-restricted-patcher.configmap.describe
       - name: Upload Logs On Failure
@@ -174,11 +174,11 @@ jobs:
   publish-chart:
     if: ${{ github.event_name != 'pull_request' }}
     needs:
-    - verify
+      - verify
     timeout-minutes: 5
     runs-on: ubuntu-latest
     permissions:
-      contents: write     
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3

diff --git a/.gitignore b/.gitignore
@@ -104,4 +104,5 @@ dist
 .tern-port
 
 .dccache
-.DS_Store
+.DS_Store
+docs
diff --git a/.prettierignore b/.prettierignore
@@ -0,0 +1,4 @@
+helm
+node_modules
+coverage
+dist
diff --git a/.prettierrc.js b/.prettierrc.js
@@ -0,0 +1,4 @@
+module.exports = {
+  semi: false,
+  trailingComma: "none"
+}
diff --git a/README.md b/README.md
@@ -1,15 +1,18 @@
 # psa-restricted-patcher
-[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=bryopsida_psa-restricted-patcher&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=bryopsida_psa-restricted-patcher) [![Coverage](https://sonarcloud.io/api/project_badges/measure?project=bryopsida_psa-restricted-patcher&metric=coverage)](https://sonarcloud.io/summary/new_code?id=bryopsida_psa-restricted-patcher) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=bryopsida_psa-restricted-patcher&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=bryopsida_psa-restricted-patcher) [![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=bryopsida_psa-restricted-patcher&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=bryopsida_psa-restricted-patcher) [![Code Smells](https://sonarcloud.io/api/project_badges/measure?project=bryopsida_psa-restricted-patcher&metric=code_smells)](https://sonarcloud.io/summary/new_code?id=bryopsida_psa-restricted-patcher) [![Bugs](https://sonarcloud.io/api/project_badges/measure?project=bryopsida_psa-restricted-patcher&metric=bugs)](https://sonarcloud.io/summary/new_code?id=bryopsida_psa-restricted-patcher)
 
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=bryopsida_psa-restricted-patcher&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=bryopsida_psa-restricted-patcher) [![Coverage](https://sonarcloud.io/api/project_badges/measure?project=bryopsida_psa-restricted-patcher&metric=coverage)](https://sonarcloud.io/summary/new_code?id=bryopsida_psa-restricted-patcher) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=bryopsida_psa-restricted-patcher&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=bryopsida_psa-restricted-patcher) [![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=bryopsida_psa-restricted-patcher&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=bryopsida_psa-restricted-patcher) [![Code Smells](https://sonarcloud.io/api/project_badges/measure?project=bryopsida_psa-restricted-patcher&metric=code_smells)](https://sonarcloud.io/summary/new_code?id=bryopsida_psa-restricted-patcher) [![Bugs](https://sonarcloud.io/api/project_badges/measure?project=bryopsida_psa-restricted-patcher&metric=bugs)](https://sonarcloud.io/summary/new_code?id=bryopsida_psa-restricted-patcher)
 
 ## NPM Scripts
+
 The following scripts are available
+
 - `lint` lints the source code using eslint
 - `lint:fix` automatically fixes any lint errors that can be fixed automatically
 - `test` uses jest to run test suites
 - `test:e2e` runs e2e test suite, this requires an active helm:deploy
 - `build` compiles the typescript into js and places it in the `dist` folder
 - `build:image` builds the container image
+- `build:docs` builds the api docs
 - `minikube:start` create a minikube k8s cluster
 - `minikube:stop` stop minikube but do not delete
 - `minikube:delete` delete the minikube cluster
@@ -21,20 +24,21 @@ The following scripts are available
 - `helm:uninstallCertManager` remove cert-manager from the k8s cluster
 
 ## Deploy it
+
 If you don't already have cert manager installed you will need to run:
 
-``` bash
+```bash
 helm repo add jetstack https://charts.jetstack.io && helm repo update && \
   helm upgrade --install --namespace cert-manager --create-namespace \
   cert-manager jetstack/cert-manager --set installCRDs=true --debug --wait
 ```
 
-Add the helm repos `helm repo add psa https://bryopsida.github.io/psa-restricted-patcher` fetch updates `helm repo update`. 
+Add the helm repos `helm repo add psa https://bryopsida.github.io/psa-restricted-patcher` fetch updates `helm repo update`.
 
 Verify it worked `helm search repo psa` and you should see something like.
 
 ```
-NAME                                                    CHART VERSION   APP VERSION     DESCRIPTION                                       
+NAME                                                    CHART VERSION   APP VERSION     DESCRIPTION
 psa/psa-restricted-patcher...      0.1.0           0.1.0          ...
 ```
 

diff --git a/helm/psa-restricted-patcher/Chart.yaml b/helm/psa-restricted-patcher/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: psa-restricted-patcher
 description: Automatically patches pods on creation to conform to the pod security restricted profile
 type: application
-version: 0.7.0
-appVersion: "0.2.0"
+version: 0.8.0
+appVersion: "0.3.0"
 maintainers:
   - name: bryopsida
diff --git a/helm/psa-restricted-patcher/README.md b/helm/psa-restricted-patcher/README.md
@@ -1,6 +1,6 @@
 # psa-restricted-patcher
 
-![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.0](https://img.shields.io/badge/AppVersion-0.2.0-informational?style=flat-square)
+![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.3.0](https://img.shields.io/badge/AppVersion-0.3.0-informational?style=flat-square)
 
 Automatically patches pods on creation to conform to the pod security restricted profile
 
@@ -44,6 +44,7 @@ Automatically patches pods on creation to conform to the pod security restricted
 | passthroughPatterns | list | `[]` | A list of regex patterns, that if matched, the pod passes through untouched  |
 | podAnnotations | object | `{}` |  |
 | podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| rbacCreate | bool | `true` | Create the RBAC rules and bindings to allow the webhook to update the caBundle value, this is needed to handle rotations, if disabled you can provide your own bindings |
 | reinvocationPolicy | string | `"IfNeeded"` | ReinvocationPolicy can be Never or IfNeeded, this hook operates in a idempotent manner so IfNeeded is the default. |
 | replicaCount | int | `1` |  |
 | resources.limits.cpu | string | `"0.2"` |  |

diff --git a/helm/psa-restricted-patcher/scripts/inject-ca.sh b/helm/psa-restricted-patcher/scripts/inject-ca.sh
diff --git a/helm/psa-restricted-patcher/templates/configmap.yaml b/helm/psa-restricted-patcher/templates/configmap.yaml
@@ -11,8 +11,11 @@ data:
         "level": "{{ .Values.logLevel }}"
       },
       "tls": {
-        "enabled": true
+        "enabled": true,
+        "secretName": {{ .Values.tlsSecretName | quote }}
       },
+      "hookName": "{{ include "psa-restricted-patcher.fullname" . }}-hooks",
+      "hookNamespace": {{ .Release.Namespace | quote }},
       "addSeccompProfile": {{ .Values.addSeccompProfile }},
       "seccompProfile": "{{ .Values.seccompProfile  }}",
       "namespaces": {{ .Values.namespaces | toJson }},

diff --git a/helm/psa-restricted-patcher/templates/mutating-webhook.yaml b/helm/psa-restricted-patcher/templates/mutating-webhook.yaml
@@ -24,10 +24,8 @@ webhooks:
     scope: "*"
     {{- end }}
   clientConfig:
-    {{- /* if this is an upgrade and cm is enabled, and it's a self signed issuer, enforce hookCaBundle being set */}}
-    {{- if and .Release.IsUpgrade .Values.certmanager.enabled .Values.certmanager.useSelfSignedIssuer }}
-    caBundle: {{ required "When upgrading after using a self signed issuer with certmanager you must provide the ca.crt as hookCaBundle on upgrades, otherwise api trust will break!" .Values.hookCaBundle}}
-    {{- else if .Values.hookCaBundle }}
+    {{- /* Allow setting this but, have periodic check tied to health checks in hook that can update this it's rotated */}}
+    {{- if .Values.hookCaBundle }}
     caBundle: {{ .Values.hookCaBundle }}
     {{- end }}
     service:

diff --git a/helm/psa-restricted-patcher/templates/rbac.yaml b/helm/psa-restricted-patcher/templates/rbac.yaml
@@ -0,0 +1,59 @@
+{{- /* Create RBAC for the hook to update its mutatingwebhook configuration
+  Adds permission to read the referenced TLS secret for the hook which is already
+  mounted into the pod, and to read and patch its mutatingwebhookconfiguration to update its cabundle
+ */}}
+{{- if .Values.rbacCreate }}
+{{- /* Read the TLS secret for the hook */}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ .Release.Name }}-tls-reader
+rules:
+- apiGroups: [""]
+  resourceNames: ["{{ .Values.tlsSecretName }}"]
+  resources: ["secrets"]
+  verbs: ["get"]
+---
+{{- /* we need to be able to mutate the validating hook, this is a cluster level/global resource, we need a clusterrole for this*/}}
+{{- /* this role can read/write validating webhooks*/}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}-ca-injector
+rules:
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations"]
+  resourceNames: ["{{ include "psa-restricted-patcher.fullname" . }}-hooks"]
+  verbs: ["get", "update", "patch"]
+{{- /* bind sa to roles */}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-hook-read-secrets-binding
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "psa-restricted-patcher.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role 
+  name: {{ .Release.Name }}-tls-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Name }}-hook-read-secrets-binding
+subjects:
+- kind: ServiceAccount
+  name:  {{ include "psa-restricted-patcher.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole 
+  name: {{ .Release.Name }}-ca-injector
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}