Merge pull request #68 from premiscale/PASS-16

PASS-16: new helm testing
premiscale · Jan 23, 2024 · a3d6f64 · a3d6f64
2 parents 7c3ba98 + 577b25a
commit a3d6f64
Show file tree

Hide file tree

Showing 15 changed files with 227 additions and 74 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -5,7 +5,7 @@ setup: true
 
 orbs:
   dynamic: bjd2385/dynamic-continuation@3.8.1
-  general: premiscale/general@1.0.13
+  general: premiscale/general@1.1.1
   slack: circleci/slack@4.12.5
 
 

diff --git a/.circleci/helm.operator-crds.yml b/.circleci/helm.operator-crds.yml
@@ -2,7 +2,7 @@ version: 2.1
 
 
 orbs:
-  general: premiscale/general@1.0.13
+  general: premiscale/general@1.1.1
 
 
 workflows:

diff --git a/.circleci/helm.yml b/.circleci/helm.yml
@@ -2,18 +2,24 @@ version: 2.1
 
 
 orbs:
-  general: premiscale/general@1.0.13
+  general: premiscale/general@1.1.1
 
 
 workflows:
   helm:
     jobs:
       - general/helm-lint:
-          name: helm lint [<< matrix.chart-path >>]
-          matrix:
-            parameters:
-              chart-path:
-                - helm/operator
-                - helm/operator-crds
-            alias: helm-lint
-          chart-path: << matrix.chart-path >>
+          name: helm lint
+
+      - general/helm-test-kubesec:
+          kubeconform-schema: >-
+            --schema-location https://raw.githubusercontent.com/premiscale/pass-operator/$CIRCLE_BRANCH/helm/operator-crds/_json/PassSecret.json
+          name: kubesec
+
+      - general/helm-test-kubelinter:
+          name: kubelinter
+          # TODO: re-enable this exclude
+          exclude: no-read-only-root-fs
+
+      - general/helm-test-deprecated:
+          name: deprecated api
diff --git a/.circleci/src.yml b/.circleci/src.yml
@@ -2,7 +2,7 @@ version: 2.1
 
 
 orbs:
-  general: premiscale/general@1.0.13
+  general: premiscale/general@1.1.1
 
 
 executors:

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -13,7 +13,7 @@ repos:
           - Dockerfile
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: trailing-whitespace
       - id: check-added-large-files
@@ -23,7 +23,7 @@ repos:
       - id: mixed-line-ending
 
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.3.0
+    rev: v1.8.0
     hooks:
       - id: mypy
         args:
@@ -39,33 +39,33 @@ repos:
           - -x
 
   - repo: https://github.com/bjd2385/dynamic-continuation-orb
-    rev: v3.6.10
+    rev: v3.8.1
     hooks:
       - id: circleci-config-validate
 
   - repo: https://github.com/gruntwork-io/pre-commit
-    rev: v0.1.22
+    rev: v0.1.23
     hooks:
       - id: helmlint
 
   - repo: https://github.com/python-poetry/poetry
-    rev: 1.5.0
+    rev: 1.7.0
     hooks:
       - id: poetry-check
       - id: poetry-lock
       - id: poetry-export
         args: ["-f", "requirements.txt", "-o", "requirements.txt"]
 
   - repo: https://github.com/PyCQA/pylint
-    rev: v3.0.0a6
+    rev: v3.0.3
     hooks:
       - id: pylint
         args:
           - --rcfile=.pylintrc
           - src/
 
   - repo: https://github.com/abravalheri/validate-pyproject
-    rev: v0.13
+    rev: v0.15
     hooks:
       - id: validate-pyproject
 

diff --git a/Dockerfile b/Dockerfile
@@ -3,8 +3,10 @@ ARG TAG=3.10.11
 
 FROM ${IMAGE}:${TAG}
 
+SHELL [ "/bin/bash", "-c" ]
+
 # https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
-LABEL org.opencontainers.image.description "© PremiScale, Inc. 2023"
+LABEL org.opencontainers.image.description "© PremiScale, Inc. 2024"
 LABEL org.opencontainers.image.licenses "GPLv3"
 LABEL org.opencontainers.image.authors "Emma Doyle <emma@premiscale.com>"
 LABEL org.opencontainers.image.documentation "https://premiscale.com"
@@ -23,12 +25,12 @@ RUN apt update \
     && rm -rf /var/apt/lists/*
 
 # Add 'operator' user and group.
-RUN useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 1001 operator
+RUN useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 10001 operator
 
 WORKDIR /opt/pass-operator
 
 RUN chown -R operator:operator .
-USER operator
+USER 10001
 
 ARG PYTHON_USERNAME
 ARG PYTHON_PASSWORD
@@ -39,8 +41,9 @@ ARG PYTHON_PACKAGE_VERSION=0.0.1
 
 ENV PATH=${PATH}:/opt/pass-operator/.local/bin
 
-# Install and initialize PremiScale.
-RUN mkdir -p "$HOME"/.local/bin "$HOME"/.ssh \
+# Set up SSH and install the pass-operator package from my private registry.
+RUN mkdir -p "$HOME"/.local/bin "$HOME"/.ssh "$HOME"/.gnupg \
+    && chmod 700 "$HOME"/.gnupg \
     && pip install --upgrade pip \
     && pip install --no-cache-dir --no-input --extra-index-url="${PYTHON_INDEX}" pass-operator=="${PYTHON_PACKAGE_VERSION}"
 
@@ -58,6 +61,5 @@ ENV OPERATOR_INTERVAL=60 \
     PASS_SSH_PRIVATE_KEY=""
 
 COPY bin/entrypoint.sh /entrypoint.sh
-COPY --chown=operator:operator --chmod=400 bin/ssh_config /opt/pass-operator/.ssh/config
 
 ENTRYPOINT [ "/tini", "--", "/entrypoint.sh" ]
diff --git a/LICENSE b/LICENSE
@@ -1,7 +1,7 @@
                     GNU GENERAL PUBLIC LICENSE
                        Version 3, 29 June 2007
 
- Copyright (C) 2023 PremiScale, Inc. <https://premiscale.com>
+ Copyright (C) 2024 PremiScale, Inc. <https://premiscale.com>
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 

diff --git a/bin/entrypoint.sh b/bin/entrypoint.sh
@@ -24,14 +24,18 @@ fi
 eval "$(ssh-agent -s)"
 printf "%s" "$PASS_SSH_PRIVATE_KEY" | ssh-add -
 
+# Set up ~/.ssh/config to disable strict host key checking on github.com.
+printf "Host github.com\\n    StrictHostKeyChecking no\\n" > ~/.ssh/config
+chmod 400 ~/.ssh/config
+
 # Import private gpg key for secrets' decryption.
 # Generate the contents of this env var with 'gpg --armor --export-private-key <key_id> | base64 | pbcopy'
 if [ -z "$PASS_GPG_PASSPHRASE" ]; then
     echo "$PASS_GPG_KEY" | gpg --dearmor | gpg --batch --import
 else
-    echo "$PASS_GPG_KEY" | gpg --dearmor > dearmored_key.gpg
-    echo "$PASS_GPG_PASSPHRASE" | gpg --batch --import dearmored_key.gpg
-    rm dearmored_key.gpg
+    echo "$PASS_GPG_KEY" | gpg --dearmor > .gnupg/dearmored_key.gpg
+    echo "$PASS_GPG_PASSPHRASE" | gpg --batch --import .gnupg/dearmored_key.gpg
+    rm .gnupg/dearmored_key.gpg
 fi
 
 # Initialize pass with the indicated directory and GPG key ID to decrypt secrets pulled from the Git repository.

diff --git a/bin/ssh_config b/bin/ssh_config
diff --git a/helm/operator-crds/.helmignore b/helm/operator-crds/.helmignore
@@ -21,3 +21,4 @@
 .idea/
 *.tmproj
 .vscode/
+_json/
diff --git a/helm/operator-crds/_json/PassSecret.json b/helm/operator-crds/_json/PassSecret.json
@@ -0,0 +1,127 @@
+{
+  "apiVersion": "apiextensions.k8s.io/v1",
+  "kind": "CustomResourceDefinition",
+  "metadata": {
+    "name": "passsecrets.secrets.premiscale.com"
+  },
+  "spec": {
+    "group": "secrets.premiscale.com",
+    "scope": "Namespaced",
+    "names": {
+      "kind": "PassSecret",
+      "listKind": "PassSecretList",
+      "plural": "passsecrets",
+      "singular": "passsecret"
+    },
+    "versions": [
+      {
+        "name": "v1alpha1",
+        "deprecated": false,
+        "served": true,
+        "storage": true,
+        "additionalPrinterColumns": [
+          {
+            "name": "Secret Name",
+            "type": "string",
+            "jsonPath": ".spec.managedSecret.name"
+          },
+          {
+            "name": "Secret Namespace",
+            "type": "string",
+            "jsonPath": ".spec.managedSecret.namespace"
+          },
+          {
+            "name": "Secret Type",
+            "type": "string",
+            "jsonPath": ".spec.managedSecret.type"
+          },
+          {
+            "name": "Age",
+            "type": "date",
+            "jsonPath": ".metadata.creationTimestamp"
+          }
+        ],
+        "schema": {
+          "openAPIV3Schema": {
+            "x-kubernetes-embedded-resource": true,
+            "description": "PassSecret is the schema for the PassOperator API.",
+            "type": "object",
+            "properties": {
+              "apiVersion": {
+                "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values. More info:\n\nhttps://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\n",
+                "type": "string"
+              },
+              "kind": {
+                "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated. In CamelCase. More info:\n\nhttps://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\n",
+                "type": "string"
+              },
+              "metadata": {
+                "type": "object"
+              },
+              "spec": {
+                "description": "PassSecretSpec defines the desired state of a PassSecret.",
+                "type": "object",
+                "properties": {
+                  "encryptedData": {
+                    "description": "Data to be contained in the secret.\n",
+                    "type": "object",
+                    "minProperties": 1,
+                    "additionalProperties": {
+                      "type": "string"
+                    }
+                  },
+                  "managedSecret": {
+                    "description": "Configure the managed Kubernetes secret object's fields.",
+                    "type": "object",
+                    "properties": {
+                      "name": {
+                        "description": "Name of the Kubernetes Secret object to create.",
+                        "type": "string"
+                      },
+                      "namespace": {
+                        "description": "Namespace in which to create the Kubernetes secret.",
+                        "type": "string"
+                      },
+                      "type": {
+                        "description": "Kubernetes Secret type to create.",
+                        "type": "string",
+                        "default": "Opaque",
+                        "enum": [
+                          "Opaque",
+                          "kubernetes.io/service-account-token",
+                          "kubernetes.io/dockercfg",
+                          "kubernetes.io/dockerconfigjson",
+                          "kubernetes.io/basic-auth",
+                          "kubernetes.io/ssh-auth",
+                          "kubernetes.io/tls",
+                          "bootstrap.kubernetes.io/token"
+                        ]
+                      },
+                      "immutable": {
+                        "description": "Optionally configure whether the destination secret should be immutable.\nThis will raise warnings in the operator's log output as the managed\nsecret will have to be deleted prior to the operator being able to\nupdate it. This is also a bit of an anti-pattern.\n",
+                        "type": "boolean",
+                        "default": false
+                      }
+                    },
+                    "required": [
+                      "name",
+                      "namespace"
+                    ]
+                  }
+                },
+                "required": [
+                  "encryptedData",
+                  "managedSecret"
+                ]
+              },
+              "status": {
+                "description": "Current state of the PassSecret on the Kubernetes cluster.",
+                "type": "object"
+              }
+            }
+          }
+        }
+      }
+    ]
+  }
+}
diff --git a/helm/operator/templates/deployment.yaml b/helm/operator/templates/deployment.yaml
@@ -50,8 +50,7 @@ spec:
         - name: {{ default .Values.deployment.name .Chart.Name }}
           args: [
             --log-stdout,
-            --log-level, {{ .Values.operator.log.level }},
-            --log-file, {{ .Values.operator.log.location }}
+            --log-level, {{ .Values.operator.log.level }}
           ]
           {{- with .Values.deployment.livenessProbe }}
             {{- if .enabled }}
@@ -123,7 +122,7 @@ spec:
               value: {{ .value }}
                 {{- end }}
               {{- end }}
-          {{- with .Values.deployment.securityContext }}
+          {{- with .Values.deployment.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}

diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml
@@ -6,7 +6,7 @@ global:
 deployment:
   image:
     name: pass-operator
-    tag: latest
+    tag: ignore
     pullPolicy: Always
 
   resources:
@@ -23,6 +23,14 @@ deployment:
     path: /healthz
     config: {}
 
+  podSecurityContext:
+    runAsNonRoot: true
+
+  containerSecurityContext:
+    # TODO for a future sprint.
+    # readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+
 
 operator:
   interval: 60
@@ -35,7 +43,6 @@ operator:
 
   log:
     level: info
-    location: /opt/pass-operator/runtime.log
 
   ssh:
     # If create is false, value is not used; users may bring their own.