PASS-2: Handle managed secrets reconciliation (#75)

Secret data value changes in git repos are now pulled successfully, and secrets updated as a result.

.circleci/config.yml

@@ -5,7 +5,7 @@ setup: true
 
 orbs:
   dynamic: bjd2385/dynamic-continuation@3.8.1
-  general: premiscale/general@1.1.1
+  general: premiscale/general@1.1.2
   slack: circleci/slack@4.12.6
 
 
@@ -185,7 +185,7 @@ workflows:
             --set operator.priority="$OPERATOR_PRIORITY"
             --set operator.ssh.createSecret="true"
             --set operator.pass.binary="$PASS_BINARY"
-            --set operator.pass.subdirectory="$PASS_DIRECTORY"
+            --set operator.pass.storeSubPath="$PASS_DIRECTORY"
             --set operator.gpg.createSecret="true"
             --set operator.gpg.value="$PASS_GPG_KEY"
             --set operator.gpg.key_id="$PASS_GPG_KEY_ID"

.circleci/helm.operator-crds.yml

@@ -2,7 +2,7 @@ version: 2.1
 
 
 orbs:
-  general: premiscale/general@1.1.1
+  general: premiscale/general@1.1.2
 
 
 workflows:

.circleci/helm.yml

@@ -2,7 +2,7 @@ version: 2.1
 
 
 orbs:
-  general: premiscale/general@1.1.1
+  general: premiscale/general@1.1.2
 
 
 workflows:

.circleci/src.yml

@@ -2,20 +2,22 @@ version: 2.1
 
 
 orbs:
-  general: premiscale/general@1.1.1
+  general: premiscale/general@1.1.2
+  slack: circleci/slack@4.12.6
 
 
 executors:
   python-3-10:
     docker:
-      - image: cimg/python:3.10.11
+      - image: cimg/python:3.10.13
 
 
 workflows:
   src:
     jobs:
       - general/python-pylint:
           name: pylint
+          configuration_file: pyproject.toml
           context: nexus
 
       - general/python-mypy:
@@ -73,6 +75,26 @@ workflows:
               ignore:
                 - master
 
+      - slack/on-hold:
+          name: 'slack: notify release development deployment hold'
+          context: slack
+          requires:
+            - helm build and push [helm/operator] [develop]
+          filters:
+            branches:
+              ignore:
+                - master
+
+      - request-approval:
+          name: 'hold: release develop deployment'
+          requires:
+            - 'slack: notify release development deployment hold'
+          type: approval
+          filters:
+            branches:
+              ignore:
+                - master
+
       - general/helm-upgrade:
           name: helm upgrade install [helm/operator] [develop]
           cluster: $CHELSEA_CLUSTER
@@ -87,7 +109,7 @@ workflows:
             --set operator.priority="$OPERATOR_PRIORITY"
             --set operator.ssh.createSecret="true"
             --set operator.pass.binary="$PASS_BINARY"
-            --set operator.pass.subdirectory="$PASS_DIRECTORY"
+            --set operator.pass.storeSubPath="$PASS_DIRECTORY"
             --set operator.gpg.createSecret="true"
             --set operator.gpg.value="$PASS_GPG_KEY"
             --set operator.gpg.key_id="$PASS_GPG_KEY_ID"
@@ -96,7 +118,7 @@ workflows:
             --set operator.git.branch="$PASS_GIT_BRANCH"
             --set operator.ssh.value="$PASS_SSH_PRIVATE_KEY"
           requires:
-            - helm build and push [helm/operator] [develop]
+            - 'hold: release develop deployment'
           context:
             - kubeconfig
             - nexus
@@ -155,6 +177,26 @@ workflows:
               only:
                 - master
 
+      - slack/on-hold:
+          name: 'slack: notify release master deployment hold'
+          context: slack
+          requires:
+            - helm build and push [helm/operator] [master]
+          filters:
+            branches:
+              ignore:
+                - master
+
+      - request-approval:
+          name: 'hold: release master deployment'
+          requires:
+            - 'slack: notify release master deployment hold'
+          type: approval
+          filters:
+            branches:
+              ignore:
+                - master
+
       - general/helm-upgrade:
           name: helm upgrade install [helm/operator] [master]
           cluster: $CHELSEA_CLUSTER
@@ -169,7 +211,7 @@ workflows:
             --set operator.priority="$OPERATOR_PRIORITY"
             --set operator.ssh.createSecret="true"
             --set operator.pass.binary="$PASS_BINARY"
-            --set operator.pass.subdirectory="$PASS_DIRECTORY"
+            --set operator.pass.storeSubPath="$PASS_DIRECTORY"
             --set operator.gpg.createSecret="true"
             --set operator.gpg.value="$PASS_GPG_KEY"
             --set operator.gpg.key_id="$PASS_GPG_KEY_ID"
@@ -178,7 +220,7 @@ workflows:
             --set operator.git.branch="$PASS_GIT_BRANCH"
             --set operator.ssh.value="$PASS_SSH_PRIVATE_KEY"
           requires:
-            - helm build and push [helm/operator] [master]
+            - 'hold: release master deployment'
           context:
             - kubeconfig
             - nexus

.circleci/tests.yml

@@ -4,24 +4,35 @@ version: 2.1
 executors:
   python-3-10:
     docker:
-      - image: cimg/python:3.10.11
+      - image: cimg/python:3.10.13
 
 
-orbs: {}
+orbs:
+  general: premiscale/general@1.1.2
 
 
 jobs:
-  run-tests:
+  python-tests-unit:
     executor: python-3-10
     resource_class: small
     steps:
+      - checkout
+      - general/python-install-poetry
       - run:
-          name: Run tests
-          command: |
-            echo
+          name: Poetry install
+          command: |+
+            poetry install
+      - run:
+          name: Python unit tests
+          command: |+
+            poetry run pytest tests/unit
+      - store_test_results:
+          path: ./junit_test_results.xml
+
 
 
 workflows:
   tests:
     jobs:
-      - run-tests
+      - python-tests-unit:
+          name: python unit tests

.github/renovate.json

@@ -0,0 +1,13 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "packageRules": [
+    {
+      "matchCategories": ["python"],
+      "matchUpdateTypes": ["patch", "minor"],
+      "groupName": "python (non-major)"
+    }
+  ]
+}

.gitignore

@@ -189,6 +189,7 @@ pyrightconfig.json
 *.user
 *.userosscache
 *.sln.docstates
+.vscode/settings.json
 
 # User-specific files (MonoDevelop/Xamarin Studio)
 *.userprefs
@@ -531,3 +532,7 @@ MigrationBackup/
 .ionide/
 
 # End of https://www.toptal.com/developers/gitignore/api/python,helm,vs
+
+
+*.xml
+tmp*

.pre-commit-config.yaml

@@ -7,7 +7,7 @@ repos:
       - id: hadolint
         args:
           - --config
-          - .hadolint.yaml
+          - .github/.hadolint.yaml
           - -t
           - error
           - Dockerfile
@@ -22,15 +22,6 @@ repos:
       - id: check-shebang-scripts-are-executable
       - id: mixed-line-ending
 
-  - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.8.0
-    hooks:
-      - id: mypy
-        args:
-          - --install-types
-          - --non-interactive
-          - --config-file=pyproject.toml
-
   - repo: https://github.com/jumanjihouse/pre-commit-hooks
     rev: 3.0.0
     hooks:
@@ -48,36 +39,38 @@ repos:
     hooks:
       - id: helmlint
 
-  - repo: https://github.com/python-poetry/poetry
-    rev: 1.7.0
-    hooks:
-      - id: poetry-check
-      - id: poetry-lock
-      - id: poetry-export
-        args: ["-f", "requirements.txt", "-o", "requirements.txt"]
-
-  - repo: https://github.com/PyCQA/pylint
-    rev: v3.0.3
+  - repo: local
     hooks:
-      - id: pylint
+      - id: mypy
+        language: script
+        name: mypy
+        entry: /usr/bin/env poetry run mypy
         args:
-          - --rcfile=.pylintrc
-          - src/
+          - --non-interactive
+          - --install-types
+          - --config-file=pyproject.toml
+        files: src/
+      - id: pylint
+        language: script
+        name: pylint
+        entry: /usr/bin/env poetry run pylint
+        args: []
+        files: src/
 
   - repo: https://github.com/abravalheri/validate-pyproject
     rev: v0.15
     hooks:
       - id: validate-pyproject
 
+  - repo: https://github.com/python-poetry/poetry
+    rev: 1.7.0
+    hooks:
+      - id: poetry-check
+      - id: poetry-lock
+      - id: poetry-export
+        args: ["-f", "requirements.txt", "-o", "requirements.txt"]
+
   - repo: https://github.com/premiscale/pre-commit-hooks
     rev: v0.0.9
     hooks:
-    -   id: msg-issue-prefix
-
-  # - repo: local
-  #   hooks:
-  #     - id: kubeconform
-  #       name: kubeconform
-  #       language: system
-  #       entry: kubeconform -exit-on-error -n 4 -output text -strict -summary -schema-location default -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' helm/operator/crds/
-  #       files: '.*.ya?ml'
+    -   id: msg-issue-prefix

Dockerfile

@@ -1,5 +1,5 @@
 ARG IMAGE=python
-ARG TAG=3.10.11
+ARG TAG=3.10.13
 
 FROM ${IMAGE}:${TAG}
 
@@ -18,7 +18,7 @@ ARG TINI_VERSION=v0.19.0
 ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
 RUN chmod +x /tini
 
-ARG PASS_VERSION=1.7.3-2
+ARG PASS_VERSION=1.7.4-6
 RUN apt update \
     && apt list -a pass \
     && apt install -y pass="$PASS_VERSION" \
@@ -43,6 +43,7 @@ ENV PATH=${PATH}:/opt/pass-operator/.local/bin
 
 # Set up SSH and install the pass-operator package from my private registry.
 RUN mkdir -p "$HOME"/.local/bin "$HOME"/.ssh "$HOME"/.gnupg \
+    && printf "[pull]\\n    rebase = true" > "$HOME"/.gitconfig \
     && chmod 700 "$HOME"/.gnupg \
     && pip install --upgrade pip \
     && pip install --no-cache-dir --no-input --extra-index-url="${PYTHON_INDEX}" pass-operator=="${PYTHON_PACKAGE_VERSION}"