From 2bda119ceea7765424b12c1ce49a9127c696101f Mon Sep 17 00:00:00 2001 From: axel7083 <42176370+axel7083@users.noreply.github.com> Date: Mon, 18 Sep 2023 16:18:05 +0200 Subject: [PATCH 1/8] feat: migrating to ClusterScope CRD --- charts/cluster-secret/crds/clustersecret-crd.yaml | 2 +- charts/cluster-secret/templates/role-cluster-rbac.yaml | 6 +++++- .../cluster-secret/templates/role-namespaced-rbac.yaml | 7 ------- conformance/k8s_utils.py | 9 ++------- conformance/tests.py | 7 ------- src/handlers.py | 3 ++- src/kubernetes_utils.py | 7 ++----- yaml/00_rbac.yaml | 6 +++--- yaml/01_crd.yaml | 2 +- yaml/02_deployment.yaml | 10 +++++----- 10 files changed, 21 insertions(+), 38 deletions(-) diff --git a/charts/cluster-secret/crds/clustersecret-crd.yaml b/charts/cluster-secret/crds/clustersecret-crd.yaml index 583575f..48a4ef7 100644 --- a/charts/cluster-secret/crds/clustersecret-crd.yaml +++ b/charts/cluster-secret/crds/clustersecret-crd.yaml @@ -10,7 +10,7 @@ spec: shortNames: - csec singular: clustersecret - scope: Namespaced + scope: Cluster versions: - additionalPrinterColumns: - description: Secret Type diff --git a/charts/cluster-secret/templates/role-cluster-rbac.yaml b/charts/cluster-secret/templates/role-cluster-rbac.yaml index c1b534d..7dad726 100644 --- a/charts/cluster-secret/templates/role-cluster-rbac.yaml +++ b/charts/cluster-secret/templates/role-cluster-rbac.yaml @@ -39,9 +39,13 @@ rules: resources: - clustersecrets verbs: - - list - watch + - list + - get - patch + - update + - create + - delete - apiGroups: - "" resources: diff --git a/charts/cluster-secret/templates/role-namespaced-rbac.yaml b/charts/cluster-secret/templates/role-namespaced-rbac.yaml index 01c41d8..de0230a 100644 --- a/charts/cluster-secret/templates/role-namespaced-rbac.yaml +++ b/charts/cluster-secret/templates/role-namespaced-rbac.yaml @@ -34,10 +34,3 @@ rules: - create - update - patch -- apiGroups: - - clustersecret.io - resources: - - clustersecrets - verbs: - - get - - patch diff --git a/conformance/k8s_utils.py b/conformance/k8s_utils.py index a8ee998..1d43e6f 100644 --- a/conformance/k8s_utils.py +++ b/conformance/k8s_utils.py @@ -95,7 +95,6 @@ def _generate_secret_key_ref_dict(secret_key_ref: Dict[str, str]) -> Dict[str, A def create_cluster_secret( self, name: str, - namespace: str, data: Optional[Dict[str, Any]] = None, secret_key_ref: Optional[Dict[str, str]] = None, labels: Optional[Dict[str, str]] = None, @@ -109,7 +108,6 @@ def create_cluster_secret( return self.custom_objects_api.create_namespaced_custom_object( group="clustersecret.io", version="v1", - namespace=namespace, body={ "apiVersion": "clustersecret.io/v1", "kind": "ClusterSecret", @@ -124,16 +122,14 @@ def create_cluster_secret( def update_data_cluster_secret( self, name: str, - namespace: str, data: Dict[str, str], match_namespace: Optional[List[str]] = None, avoid_namespaces: Optional[List[str]] = None, ): - self.custom_objects_api.patch_namespaced_custom_object( + self.custom_objects_api.patch_cluster_custom_object( name=name, group="clustersecret.io", version="v1", - namespace=namespace, body={ "apiVersion": "clustersecret.io/v1", "kind": "ClusterSecret", @@ -149,11 +145,10 @@ def delete_cluster_secret( name: str, namespace: str ): - self.custom_objects_api.delete_namespaced_custom_object( + self.custom_objects_api.delete_cluster_custom_object( name=name, group="clustersecret.io", version="v1", - namespace=namespace, plural="clustersecrets", ) diff --git a/conformance/tests.py b/conformance/tests.py index 87ae3f9..470d0f5 100644 --- a/conformance/tests.py +++ b/conformance/tests.py @@ -57,7 +57,6 @@ def test_simple_cluster_secret(self): self.cluster_secret_manager.create_cluster_secret( name=name, - namespace=USER_NAMESPACES[0], data={"username": username_data} ) @@ -76,7 +75,6 @@ def test_complex_cluster_secret(self): # Create a secret in all user namespace expect the first one self.cluster_secret_manager.create_cluster_secret( name=name, - namespace=USER_NAMESPACES[0], data={"username": username_data}, match_namespace=["example-*"], avoid_namespaces=[USER_NAMESPACES[0]] @@ -99,7 +97,6 @@ def test_patch_cluster_secret_data(self): # Create a secret with username_data self.cluster_secret_manager.create_cluster_secret( name=name, - namespace=USER_NAMESPACES[0], data={"username": username_data}, ) @@ -115,7 +112,6 @@ def test_patch_cluster_secret_data(self): self.cluster_secret_manager.update_data_cluster_secret( name=name, data={"username": updated_data}, - namespace=USER_NAMESPACES[0], ) # Ensure the secrets are updated with the right data (at some point) @@ -133,7 +129,6 @@ def test_patch_cluster_secret_match_namespaces(self): self.cluster_secret_manager.create_cluster_secret( name=name, - namespace=USER_NAMESPACES[0], data={"username": username_data}, match_namespace=[ USER_NAMESPACES[0] @@ -154,7 +149,6 @@ def test_patch_cluster_secret_match_namespaces(self): # Update the cluster match_namespace to ALL user namespace self.cluster_secret_manager.update_data_cluster_secret( name=name, - namespace=USER_NAMESPACES[0], match_namespace=USER_NAMESPACES, data={"username": username_data}, ) @@ -174,7 +168,6 @@ def test_simple_cluster_secret_deleted(self): self.cluster_secret_manager.create_cluster_secret( name=name, - namespace=USER_NAMESPACES[0], data={"username": username_data} ) diff --git a/src/handlers.py b/src/handlers.py index f962d5c..1026224 100644 --- a/src/handlers.py +++ b/src/handlers.py @@ -14,6 +14,8 @@ from os_utils import in_cluster +csecs: Dict[str, Any] = {} + # Loading kubeconfig if in_cluster(): # Loading kubeconfig @@ -98,7 +100,6 @@ def on_field_match_namespace( logger.debug(f'Patching clustersecret {name} in namespace {namespace}') patch_clustersecret_status( logger=logger, - namespace=namespace, name=name, new_status={'create_fn': {'syncedns': updated_matched}}, custom_objects_api=custom_objects_api, diff --git a/src/kubernetes_utils.py b/src/kubernetes_utils.py index 518b8d4..a0c6b81 100644 --- a/src/kubernetes_utils.py +++ b/src/kubernetes_utils.py @@ -12,7 +12,6 @@ def patch_clustersecret_status( logger: logging.Logger, - namespace: str, name: str, new_status, custom_objects_api: CustomObjectsApi, @@ -24,10 +23,9 @@ def patch_clustersecret_status( plural = 'clustersecrets' # Retrieve the clustersecret object - clustersecret = custom_objects_api.get_namespaced_custom_object( + clustersecret = custom_objects_api.get_cluster_custom_object( group=group, version=version, - namespace=namespace, plural=plural, name=name, ) @@ -37,10 +35,9 @@ def patch_clustersecret_status( logger.debug(f'Updated clustersecret manifest: {clustersecret}') # Perform a patch operation to update the custom resource - custom_objects_api.patch_namespaced_custom_object( + custom_objects_api.patch_cluster_custom_object( group=group, version=version, - namespace=namespace, plural=plural, name=name, body=clustersecret, diff --git a/yaml/00_rbac.yaml b/yaml/00_rbac.yaml index 45abfa5..96aec74 100644 --- a/yaml/00_rbac.yaml +++ b/yaml/00_rbac.yaml @@ -6,7 +6,7 @@ metadata: apiVersion: v1 kind: ServiceAccount metadata: - namespace: "clustersecret" + namespace: clustersecret name: clustersecret-account --- apiVersion: rbac.authorization.k8s.io/v1 @@ -33,7 +33,7 @@ rules: # Application: read-only access for watching cluster-wide. - apiGroups: [clustersecret.io] resources: [clustersecrets] - verbs: [list, watch, patch] + verbs: [watch, list, get, patch, update, create, delete] # Watch namespaces - apiGroups: [""] @@ -70,7 +70,7 @@ rules: - apiGroups: [""] resources: [secrets] verbs: [create,update,patch] - + # Application: get and patch clustersecrets for status patching - apiGroups: [clustersecret.io] resources: [clustersecrets] diff --git a/yaml/01_crd.yaml b/yaml/01_crd.yaml index f8bd39c..509000e 100644 --- a/yaml/01_crd.yaml +++ b/yaml/01_crd.yaml @@ -4,7 +4,7 @@ kind: CustomResourceDefinition metadata: name: clustersecrets.clustersecret.io spec: - scope: Namespaced + scope: Cluster group: clustersecret.io versions: - name: v1 diff --git a/yaml/02_deployment.yaml b/yaml/02_deployment.yaml index c4af378..eb6f774 100644 --- a/yaml/02_deployment.yaml +++ b/yaml/02_deployment.yaml @@ -17,11 +17,6 @@ spec: serviceAccountName: clustersecret-account # imagePullSecrets: # - name: regcred - env: - - name: CLUSTER_SECRET_VERSION - value: "v0.0.10" - - name: REPLACE_EXISTING - value: "false" containers: - name: clustersecret image: quay.io/clustersecret/clustersecret:0.0.10 @@ -30,6 +25,11 @@ spec: path: /healthz port: 8080 periodSeconds: 120 + env: + - name: CLUSTER_SECRET_VERSION + value: "v0.0.10" + - name: REPLACE_EXISTING + value: "false" # imagePullPolicy: Always # Uncomment next lines for debug: # command: From 3c01dac30ef4e4b8c5254e6eb0fc1c862d891c3f Mon Sep 17 00:00:00 2001 From: axel7083 <42176370+axel7083@users.noreply.github.com> Date: Mon, 18 Sep 2023 16:28:06 +0200 Subject: [PATCH 2/8] fix: bump chart version --- charts/cluster-secret/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cluster-secret/Chart.yaml b/charts/cluster-secret/Chart.yaml index 390f1f8..5e561bf 100755 --- a/charts/cluster-secret/Chart.yaml +++ b/charts/cluster-secret/Chart.yaml @@ -3,7 +3,7 @@ name: cluster-secret description: ClusterSecret Operator kubeVersion: '>= 1.16.0-0' type: application -version: 0.2.1 +version: 0.3.0 icon: https://clustersecret.io/assets/csninjasmall.png sources: - https://github.com/zakkg3/ClusterSecret From ad658efbc7e79759052ae84dc641109c6506fd80 Mon Sep 17 00:00:00 2001 From: axel7083 <42176370+axel7083@users.noreply.github.com> Date: Mon, 18 Sep 2023 16:30:01 +0200 Subject: [PATCH 3/8] fix: chart linter --- charts/cluster-secret/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/cluster-secret/values.yaml b/charts/cluster-secret/values.yaml index f2bfffd..19cc493 100644 --- a/charts/cluster-secret/values.yaml +++ b/charts/cluster-secret/values.yaml @@ -5,7 +5,7 @@ clustersecret: tag: 0.0.10 # use tag-alt for ARM and other alternative builds - read the readme for more information # If Clustersecret is about to create a secret and then it founds it exists: - # Default is to ignore it. (to not loose any unintentional data) + # Default is to ignore it. (to not loose any unintentional data) # It can also reeplace it. Just uncommenting next line. - #replace_existing: 'true' + # replace_existing: 'true' kubernetesClusterDomain: cluster.local From 64dc80c8cb486b20ad71f128c776859c781ec16e Mon Sep 17 00:00:00 2001 From: axel7083 <42176370+axel7083@users.noreply.github.com> Date: Mon, 18 Sep 2023 16:32:26 +0200 Subject: [PATCH 4/8] fix: adding rule D102 to ignore --- setup.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.cfg b/setup.cfg index 31eba5c..56b4bcf 100644 --- a/setup.cfg +++ b/setup.cfg @@ -2,7 +2,7 @@ max-line-length = 120 exclude= src/tests -ignore=D103,D401,D400,D200,D100,DAR201,WPS305,WPS111,DAR101,WPS326,WPS226,N400,I001,I002,I003,I004,I005,WPS221,WPS237,DAR401,WPS432,WPS211,WPS440,WPS462,WPS210,WPS229,S105,WPS229,WPS202,WPS213,WPS110,WPS238,WPS231 +ignore=D103,D102,D401,D400,D200,D100,DAR201,WPS305,WPS111,DAR101,WPS326,WPS226,N400,I001,I002,I003,I004,I005,WPS221,WPS237,DAR401,WPS432,WPS211,WPS440,WPS462,WPS210,WPS229,S105,WPS229,WPS202,WPS213,WPS110,WPS238,WPS231 [darglint] docstring_style=numpy \ No newline at end of file From 97d5982ea748907125948d72d5b5659cac1223e2 Mon Sep 17 00:00:00 2001 From: axel7083 <42176370+axel7083@users.noreply.github.com> Date: Mon, 18 Sep 2023 16:33:50 +0200 Subject: [PATCH 5/8] fix: adapting conformance tests --- conformance/k8s_utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conformance/k8s_utils.py b/conformance/k8s_utils.py index 1d43e6f..0102339 100644 --- a/conformance/k8s_utils.py +++ b/conformance/k8s_utils.py @@ -105,7 +105,7 @@ def create_cluster_secret( if data is None and secret_key_ref is None: raise Exception('You need to either define data or secret_key_ref.') - return self.custom_objects_api.create_namespaced_custom_object( + return self.custom_objects_api.create_cluster_custom_object( group="clustersecret.io", version="v1", body={ From 0984b601d8c1a19900edbc32c5470fa3d07cea5e Mon Sep 17 00:00:00 2001 From: axel7083 <42176370+axel7083@users.noreply.github.com> Date: Mon, 18 Sep 2023 16:38:54 +0200 Subject: [PATCH 6/8] fix: conformance tests --- conformance/tests.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/conformance/tests.py b/conformance/tests.py index 470d0f5..8dbe98b 100644 --- a/conformance/tests.py +++ b/conformance/tests.py @@ -210,7 +210,6 @@ def test_value_from_cluster_secret(self): # Create the cluster secret self.cluster_secret_manager.create_cluster_secret( name=cluster_secret_name, - namespace=USER_NAMESPACES[0], secret_key_ref={ 'name': secret_name, 'namespace': USER_NAMESPACES[0], @@ -244,7 +243,6 @@ def test_value_from_with_keys_cluster_secret(self): # Create the cluster secret self.cluster_secret_manager.create_cluster_secret( name=cluster_secret_name, - namespace=USER_NAMESPACES[0], secret_key_ref={ 'name': secret_name, 'namespace': USER_NAMESPACES[0], From 8e85958275c1296d92b89e0033d2d12860bfa32b Mon Sep 17 00:00:00 2001 From: axel7083 <42176370+axel7083@users.noreply.github.com> Date: Wed, 20 Dec 2023 11:44:59 +0100 Subject: [PATCH 7/8] fix: upgrade chart-testing-action version --- .github/workflows/e2e-testing.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-testing.yaml b/.github/workflows/e2e-testing.yaml index bdb5440..cd732e9 100644 --- a/.github/workflows/e2e-testing.yaml +++ b/.github/workflows/e2e-testing.yaml @@ -31,7 +31,7 @@ jobs: cache: 'pip' # caching pip dependencies - name: Set up chart-testing - uses: helm/chart-testing-action@v2.4.0 + uses: helm/chart-testing-action@v2.6.1 - name: Run chart-testing (list-changed) id: list-changed From a1cbe9bd4ec51424a099dc811c27f8573b0806b2 Mon Sep 17 00:00:00 2001 From: axel7083 <42176370+axel7083@users.noreply.github.com> Date: Wed, 20 Dec 2023 11:50:40 +0100 Subject: [PATCH 8/8] fix: e2e tests --- conformance/tests.py | 1 - 1 file changed, 1 deletion(-) diff --git a/conformance/tests.py b/conformance/tests.py index c20bc53..0e70577 100644 --- a/conformance/tests.py +++ b/conformance/tests.py @@ -272,7 +272,6 @@ def test_simple_cluster_secret_with_annotation(self): cluster_secret_manager.create_cluster_secret( name=name, - namespace=USER_NAMESPACES[0], data={"username": username_data}, annotations=annotations, )