From c47a6498285a0ea97d372ad0d3b0035a7a195e49 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 09:58:03 -0500 Subject: [PATCH 01/39] PASS-16: new helm testing --- .circleci/helm.yml | 20 +++++++------- poetry.lock | 65 ++++++++++++++++++++++++++-------------------- 2 files changed, 48 insertions(+), 37 deletions(-) diff --git a/.circleci/helm.yml b/.circleci/helm.yml index 525049e..fe6f34d 100644 --- a/.circleci/helm.yml +++ b/.circleci/helm.yml @@ -2,18 +2,20 @@ version: 2.1 orbs: - general: premiscale/general@1.0.13 + general: premiscale/general@dev:15d6e3e08a70abbd844e3af116283638f1d54f21 workflows: helm: jobs: - general/helm-lint: - name: helm lint [<< matrix.chart-path >>] - matrix: - parameters: - chart-path: - - helm/operator - - helm/operator-crds - alias: helm-lint - chart-path: << matrix.chart-path >> \ No newline at end of file + name: helm lint + + - general/helm-test-kubesec: + name: kubesec + + - general/helm-test-kubelinter: + name: kubelinter + + - general/helm-test-deprecated: + name: deprecated api \ No newline at end of file diff --git a/poetry.lock b/poetry.lock index 5bd8059..8fd6e22 100644 --- a/poetry.lock +++ b/poetry.lock @@ -447,47 +447,56 @@ files = [ [[package]] name = "cryptography" -version = "41.0.7" +version = "42.0.0" description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." optional = false python-versions = ">=3.7" files = [ - {file = "cryptography-41.0.7-cp37-abi3-macosx_10_12_universal2.whl", hash = "sha256:3c78451b78313fa81607fa1b3f1ae0a5ddd8014c38a02d9db0616133987b9cdf"}, - {file = "cryptography-41.0.7-cp37-abi3-macosx_10_12_x86_64.whl", hash = "sha256:928258ba5d6f8ae644e764d0f996d61a8777559f72dfeb2eea7e2fe0ad6e782d"}, - {file = "cryptography-41.0.7-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5a1b41bc97f1ad230a41657d9155113c7521953869ae57ac39ac7f1bb471469a"}, - {file = "cryptography-41.0.7-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:841df4caa01008bad253bce2a6f7b47f86dc9f08df4b433c404def869f590a15"}, - {file = "cryptography-41.0.7-cp37-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:5429ec739a29df2e29e15d082f1d9ad683701f0ec7709ca479b3ff2708dae65a"}, - {file = "cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:43f2552a2378b44869fe8827aa19e69512e3245a219104438692385b0ee119d1"}, - {file = "cryptography-41.0.7-cp37-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:af03b32695b24d85a75d40e1ba39ffe7db7ffcb099fe507b39fd41a565f1b157"}, - {file = "cryptography-41.0.7-cp37-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:49f0805fc0b2ac8d4882dd52f4a3b935b210935d500b6b805f321addc8177406"}, - {file = "cryptography-41.0.7-cp37-abi3-win32.whl", hash = "sha256:f983596065a18a2183e7f79ab3fd4c475205b839e02cbc0efbbf9666c4b3083d"}, - {file = "cryptography-41.0.7-cp37-abi3-win_amd64.whl", hash = "sha256:90452ba79b8788fa380dfb587cca692976ef4e757b194b093d845e8d99f612f2"}, - {file = "cryptography-41.0.7-pp310-pypy310_pp73-macosx_10_12_x86_64.whl", hash = "sha256:079b85658ea2f59c4f43b70f8119a52414cdb7be34da5d019a77bf96d473b960"}, - {file = "cryptography-41.0.7-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:b640981bf64a3e978a56167594a0e97db71c89a479da8e175d8bb5be5178c003"}, - {file = "cryptography-41.0.7-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:e3114da6d7f95d2dee7d3f4eec16dacff819740bbab931aff8648cb13c5ff5e7"}, - {file = "cryptography-41.0.7-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:d5ec85080cce7b0513cfd233914eb8b7bbd0633f1d1703aa28d1dd5a72f678ec"}, - {file = "cryptography-41.0.7-pp38-pypy38_pp73-macosx_10_12_x86_64.whl", hash = "sha256:7a698cb1dac82c35fcf8fe3417a3aaba97de16a01ac914b89a0889d364d2f6be"}, - {file = "cryptography-41.0.7-pp38-pypy38_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:37a138589b12069efb424220bf78eac59ca68b95696fc622b6ccc1c0a197204a"}, - {file = "cryptography-41.0.7-pp38-pypy38_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:68a2dec79deebc5d26d617bfdf6e8aab065a4f34934b22d3b5010df3ba36612c"}, - {file = "cryptography-41.0.7-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:09616eeaef406f99046553b8a40fbf8b1e70795a91885ba4c96a70793de5504a"}, - {file = "cryptography-41.0.7-pp39-pypy39_pp73-macosx_10_12_x86_64.whl", hash = "sha256:48a0476626da912a44cc078f9893f292f0b3e4c739caf289268168d8f4702a39"}, - {file = "cryptography-41.0.7-pp39-pypy39_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:c7f3201ec47d5207841402594f1d7950879ef890c0c495052fa62f58283fde1a"}, - {file = "cryptography-41.0.7-pp39-pypy39_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:c5ca78485a255e03c32b513f8c2bc39fedb7f5c5f8535545bdc223a03b24f248"}, - {file = "cryptography-41.0.7-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:d6c391c021ab1f7a82da5d8d0b3cee2f4b2c455ec86c8aebbc84837a631ff309"}, - {file = "cryptography-41.0.7.tar.gz", hash = "sha256:13f93ce9bea8016c253b34afc6bd6a75993e5c40672ed5405a9c832f0d4a00bc"}, + {file = "cryptography-42.0.0-cp37-abi3-macosx_10_12_universal2.whl", hash = "sha256:c640b0ef54138fde761ec99a6c7dc4ce05e80420262c20fa239e694ca371d434"}, + {file = "cryptography-42.0.0-cp37-abi3-macosx_10_12_x86_64.whl", hash = "sha256:678cfa0d1e72ef41d48993a7be75a76b0725d29b820ff3cfd606a5b2b33fda01"}, + {file = "cryptography-42.0.0-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:146e971e92a6dd042214b537a726c9750496128453146ab0ee8971a0299dc9bd"}, + {file = "cryptography-42.0.0-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:87086eae86a700307b544625e3ba11cc600c3c0ef8ab97b0fda0705d6db3d4e3"}, + {file = "cryptography-42.0.0-cp37-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:0a68bfcf57a6887818307600c3c0ebc3f62fbb6ccad2240aa21887cda1f8df1b"}, + {file = "cryptography-42.0.0-cp37-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:5a217bca51f3b91971400890905a9323ad805838ca3fa1e202a01844f485ee87"}, + {file = "cryptography-42.0.0-cp37-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:ca20550bb590db16223eb9ccc5852335b48b8f597e2f6f0878bbfd9e7314eb17"}, + {file = "cryptography-42.0.0-cp37-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:33588310b5c886dfb87dba5f013b8d27df7ffd31dc753775342a1e5ab139e59d"}, + {file = "cryptography-42.0.0-cp37-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:9515ea7f596c8092fdc9902627e51b23a75daa2c7815ed5aa8cf4f07469212ec"}, + {file = "cryptography-42.0.0-cp37-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:35cf6ed4c38f054478a9df14f03c1169bb14bd98f0b1705751079b25e1cb58bc"}, + {file = "cryptography-42.0.0-cp37-abi3-win32.whl", hash = "sha256:8814722cffcfd1fbd91edd9f3451b88a8f26a5fd41b28c1c9193949d1c689dc4"}, + {file = "cryptography-42.0.0-cp37-abi3-win_amd64.whl", hash = "sha256:a2a8d873667e4fd2f34aedab02ba500b824692c6542e017075a2efc38f60a4c0"}, + {file = "cryptography-42.0.0-cp39-abi3-macosx_10_12_universal2.whl", hash = "sha256:8fedec73d590fd30c4e3f0d0f4bc961aeca8390c72f3eaa1a0874d180e868ddf"}, + {file = "cryptography-42.0.0-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:be41b0c7366e5549265adf2145135dca107718fa44b6e418dc7499cfff6b4689"}, + {file = "cryptography-42.0.0-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3ca482ea80626048975360c8e62be3ceb0f11803180b73163acd24bf014133a0"}, + {file = "cryptography-42.0.0-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:c58115384bdcfe9c7f644c72f10f6f42bed7cf59f7b52fe1bf7ae0a622b3a139"}, + {file = "cryptography-42.0.0-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:56ce0c106d5c3fec1038c3cca3d55ac320a5be1b44bf15116732d0bc716979a2"}, + {file = "cryptography-42.0.0-cp39-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:324721d93b998cb7367f1e6897370644751e5580ff9b370c0a50dc60a2003513"}, + {file = "cryptography-42.0.0-cp39-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:d97aae66b7de41cdf5b12087b5509e4e9805ed6f562406dfcf60e8481a9a28f8"}, + {file = "cryptography-42.0.0-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:85f759ed59ffd1d0baad296e72780aa62ff8a71f94dc1ab340386a1207d0ea81"}, + {file = "cryptography-42.0.0-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:206aaf42e031b93f86ad60f9f5d9da1b09164f25488238ac1dc488334eb5e221"}, + {file = "cryptography-42.0.0-cp39-abi3-win32.whl", hash = "sha256:74f18a4c8ca04134d2052a140322002fef535c99cdbc2a6afc18a8024d5c9d5b"}, + {file = "cryptography-42.0.0-cp39-abi3-win_amd64.whl", hash = "sha256:14e4b909373bc5bf1095311fa0f7fcabf2d1a160ca13f1e9e467be1ac4cbdf94"}, + {file = "cryptography-42.0.0-pp310-pypy310_pp73-macosx_10_12_x86_64.whl", hash = "sha256:3005166a39b70c8b94455fdbe78d87a444da31ff70de3331cdec2c568cf25b7e"}, + {file = "cryptography-42.0.0-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:be14b31eb3a293fc6e6aa2807c8a3224c71426f7c4e3639ccf1a2f3ffd6df8c3"}, + {file = "cryptography-42.0.0-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:bd7cf7a8d9f34cc67220f1195884151426ce616fdc8285df9054bfa10135925f"}, + {file = "cryptography-42.0.0-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:c310767268d88803b653fffe6d6f2f17bb9d49ffceb8d70aed50ad45ea49ab08"}, + {file = "cryptography-42.0.0-pp39-pypy39_pp73-macosx_10_12_x86_64.whl", hash = "sha256:bdce70e562c69bb089523e75ef1d9625b7417c6297a76ac27b1b8b1eb51b7d0f"}, + {file = "cryptography-42.0.0-pp39-pypy39_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:e9326ca78111e4c645f7e49cbce4ed2f3f85e17b61a563328c85a5208cf34440"}, + {file = "cryptography-42.0.0-pp39-pypy39_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:69fd009a325cad6fbfd5b04c711a4da563c6c4854fc4c9544bff3088387c77c0"}, + {file = "cryptography-42.0.0-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:988b738f56c665366b1e4bfd9045c3efae89ee366ca3839cd5af53eaa1401bce"}, + {file = "cryptography-42.0.0.tar.gz", hash = "sha256:6cf9b76d6e93c62114bd19485e5cb003115c134cf9ce91f8ac924c44f8c8c3f4"}, ] [package.dependencies] -cffi = ">=1.12" +cffi = {version = ">=1.12", markers = "platform_python_implementation != \"PyPy\""} [package.extras] docs = ["sphinx (>=5.3.0)", "sphinx-rtd-theme (>=1.1.1)"] -docstest = ["pyenchant (>=1.6.11)", "sphinxcontrib-spelling (>=4.0.1)", "twine (>=1.12.0)"] +docstest = ["pyenchant (>=1.6.11)", "readme-renderer", "sphinxcontrib-spelling (>=4.0.1)"] nox = ["nox"] -pep8test = ["black", "check-sdist", "mypy", "ruff"] +pep8test = ["check-sdist", "click", "mypy", "ruff"] sdist = ["build"] ssh = ["bcrypt (>=3.1.5)"] -test = ["pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist"] +test = ["certifi", "pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist"] test-randomorder = ["pytest-randomly"] [[package]] From 6b78589cf8dccfb3899d45d4cc83c8d72cbaf3f8 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 10:01:27 -0500 Subject: [PATCH 02/39] PASS-16: conflicting general orb merge --- .circleci/config.yml | 2 +- .circleci/helm.operator-crds.yml | 2 +- .circleci/src.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index a5355ed..cab5929 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -5,7 +5,7 @@ setup: true orbs: dynamic: bjd2385/dynamic-continuation@3.8.1 - general: premiscale/general@1.0.13 + general: premiscale/general@dev:15d6e3e08a70abbd844e3af116283638f1d54f21 slack: circleci/slack@4.12.5 diff --git a/.circleci/helm.operator-crds.yml b/.circleci/helm.operator-crds.yml index 090c707..765e1b2 100644 --- a/.circleci/helm.operator-crds.yml +++ b/.circleci/helm.operator-crds.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@1.0.13 + general: premiscale/general@dev:15d6e3e08a70abbd844e3af116283638f1d54f21 workflows: diff --git a/.circleci/src.yml b/.circleci/src.yml index 6bc62dc..db1f597 100644 --- a/.circleci/src.yml +++ b/.circleci/src.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@1.0.13 + general: premiscale/general@dev:15d6e3e08a70abbd844e3af116283638f1d54f21 executors: From b47ab1c73fe4550bf94282ebc34c8688912d9b9c Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 10:33:14 -0500 Subject: [PATCH 03/39] PASS-16: bump general to test --- .circleci/config.yml | 2 +- .circleci/helm.operator-crds.yml | 2 +- .circleci/helm.yml | 2 +- .circleci/src.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index cab5929..e2a995b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -5,7 +5,7 @@ setup: true orbs: dynamic: bjd2385/dynamic-continuation@3.8.1 - general: premiscale/general@dev:15d6e3e08a70abbd844e3af116283638f1d54f21 + general: premiscale/general@dev:675846c500dbef9804bd852fd5738e5f2154d0f6 slack: circleci/slack@4.12.5 diff --git a/.circleci/helm.operator-crds.yml b/.circleci/helm.operator-crds.yml index 765e1b2..57ed7e6 100644 --- a/.circleci/helm.operator-crds.yml +++ b/.circleci/helm.operator-crds.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@dev:15d6e3e08a70abbd844e3af116283638f1d54f21 + general: premiscale/general@dev:675846c500dbef9804bd852fd5738e5f2154d0f6 workflows: diff --git a/.circleci/helm.yml b/.circleci/helm.yml index fe6f34d..fbe7b61 100644 --- a/.circleci/helm.yml +++ b/.circleci/helm.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@dev:15d6e3e08a70abbd844e3af116283638f1d54f21 + general: premiscale/general@dev:675846c500dbef9804bd852fd5738e5f2154d0f6 workflows: diff --git a/.circleci/src.yml b/.circleci/src.yml index db1f597..f550702 100644 --- a/.circleci/src.yml +++ b/.circleci/src.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@dev:15d6e3e08a70abbd844e3af116283638f1d54f21 + general: premiscale/general@dev:675846c500dbef9804bd852fd5738e5f2154d0f6 executors: From 26fd70a0be463002de50ae12de5d753f4da3406b Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 10:37:25 -0500 Subject: [PATCH 04/39] PASS-16: test kubesec --- .circleci/config.yml | 2 +- .circleci/helm.operator-crds.yml | 2 +- .circleci/helm.yml | 2 +- .circleci/src.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index e2a995b..46b3db6 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -5,7 +5,7 @@ setup: true orbs: dynamic: bjd2385/dynamic-continuation@3.8.1 - general: premiscale/general@dev:675846c500dbef9804bd852fd5738e5f2154d0f6 + general: premiscale/general@dev:c47d2738709c0ed403c5d88b89334f249e8d04d5 slack: circleci/slack@4.12.5 diff --git a/.circleci/helm.operator-crds.yml b/.circleci/helm.operator-crds.yml index 57ed7e6..5dfb353 100644 --- a/.circleci/helm.operator-crds.yml +++ b/.circleci/helm.operator-crds.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@dev:675846c500dbef9804bd852fd5738e5f2154d0f6 + general: premiscale/general@dev:c47d2738709c0ed403c5d88b89334f249e8d04d5 workflows: diff --git a/.circleci/helm.yml b/.circleci/helm.yml index fbe7b61..913fca9 100644 --- a/.circleci/helm.yml +++ b/.circleci/helm.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@dev:675846c500dbef9804bd852fd5738e5f2154d0f6 + general: premiscale/general@dev:c47d2738709c0ed403c5d88b89334f249e8d04d5 workflows: diff --git a/.circleci/src.yml b/.circleci/src.yml index f550702..6efb7dd 100644 --- a/.circleci/src.yml +++ b/.circleci/src.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@dev:675846c500dbef9804bd852fd5738e5f2154d0f6 + general: premiscale/general@dev:c47d2738709c0ed403c5d88b89334f249e8d04d5 executors: From a65cebc6b1638f563263326d53baedb73a592ada Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 10:43:43 -0500 Subject: [PATCH 05/39] PASS-16: bump version again --- .circleci/config.yml | 2 +- .circleci/helm.operator-crds.yml | 2 +- .circleci/helm.yml | 2 +- .circleci/src.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 46b3db6..624e8bf 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -5,7 +5,7 @@ setup: true orbs: dynamic: bjd2385/dynamic-continuation@3.8.1 - general: premiscale/general@dev:c47d2738709c0ed403c5d88b89334f249e8d04d5 + general: premiscale/general@dev:8bc653b0e1690e6e2562d16ebbd3218ead2bc9d6 slack: circleci/slack@4.12.5 diff --git a/.circleci/helm.operator-crds.yml b/.circleci/helm.operator-crds.yml index 5dfb353..f3f642d 100644 --- a/.circleci/helm.operator-crds.yml +++ b/.circleci/helm.operator-crds.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@dev:c47d2738709c0ed403c5d88b89334f249e8d04d5 + general: premiscale/general@dev:8bc653b0e1690e6e2562d16ebbd3218ead2bc9d6 workflows: diff --git a/.circleci/helm.yml b/.circleci/helm.yml index 913fca9..5c53b61 100644 --- a/.circleci/helm.yml +++ b/.circleci/helm.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@dev:c47d2738709c0ed403c5d88b89334f249e8d04d5 + general: premiscale/general@dev:8bc653b0e1690e6e2562d16ebbd3218ead2bc9d6 workflows: diff --git a/.circleci/src.yml b/.circleci/src.yml index 6efb7dd..41da3e8 100644 --- a/.circleci/src.yml +++ b/.circleci/src.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@dev:c47d2738709c0ed403c5d88b89334f249e8d04d5 + general: premiscale/general@dev:8bc653b0e1690e6e2562d16ebbd3218ead2bc9d6 executors: From e09527c8f4420b436fcaf76ecbda53f320cc0035 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 10:46:48 -0500 Subject: [PATCH 06/39] PASS-16: push --- .circleci/helm.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.circleci/helm.yml b/.circleci/helm.yml index 5c53b61..28e78fc 100644 --- a/.circleci/helm.yml +++ b/.circleci/helm.yml @@ -12,6 +12,8 @@ workflows: name: helm lint - general/helm-test-kubesec: + kubeconform-schema: >- + --schema-location https://raw.githubusercontent.com/premiscale/pass-operator/master/helm/operator-crds/templates/PassSecret.yaml name: kubesec - general/helm-test-kubelinter: From 3aeab04643563f77fd5d4076f67d4a7496eec5bc Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 10:55:10 -0500 Subject: [PATCH 07/39] PASS-16: parameterize branch --- .circleci/helm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/helm.yml b/.circleci/helm.yml index 28e78fc..9099192 100644 --- a/.circleci/helm.yml +++ b/.circleci/helm.yml @@ -13,7 +13,7 @@ workflows: - general/helm-test-kubesec: kubeconform-schema: >- - --schema-location https://raw.githubusercontent.com/premiscale/pass-operator/master/helm/operator-crds/templates/PassSecret.yaml + --schema-location https://raw.githubusercontent.com/premiscale/pass-operator/$CIRCLE_BRANCH/helm/operator-crds/templates/PassSecret.yaml name: kubesec - general/helm-test-kubelinter: From 2666aa44fe643e3f24e57dea3d62d86b34ee1bb5 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 10:56:15 -0500 Subject: [PATCH 08/39] PASS-16: Try JSON instead --- .circleci/helm.yml | 2 +- PassSecret.json | 127 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 PassSecret.json diff --git a/.circleci/helm.yml b/.circleci/helm.yml index 9099192..15724fc 100644 --- a/.circleci/helm.yml +++ b/.circleci/helm.yml @@ -13,7 +13,7 @@ workflows: - general/helm-test-kubesec: kubeconform-schema: >- - --schema-location https://raw.githubusercontent.com/premiscale/pass-operator/$CIRCLE_BRANCH/helm/operator-crds/templates/PassSecret.yaml + --schema-location https://raw.githubusercontent.com/premiscale/pass-operator/$CIRCLE_BRANCH/PassSecret.json name: kubesec - general/helm-test-kubelinter: diff --git a/PassSecret.json b/PassSecret.json new file mode 100644 index 0000000..caef01f --- /dev/null +++ b/PassSecret.json @@ -0,0 +1,127 @@ +{ + "apiVersion": "apiextensions.k8s.io/v1", + "kind": "CustomResourceDefinition", + "metadata": { + "name": "passsecrets.secrets.premiscale.com" + }, + "spec": { + "group": "secrets.premiscale.com", + "scope": "Namespaced", + "names": { + "kind": "PassSecret", + "listKind": "PassSecretList", + "plural": "passsecrets", + "singular": "passsecret" + }, + "versions": [ + { + "name": "v1alpha1", + "deprecated": false, + "served": true, + "storage": true, + "additionalPrinterColumns": [ + { + "name": "Secret Name", + "type": "string", + "jsonPath": ".spec.managedSecret.name" + }, + { + "name": "Secret Namespace", + "type": "string", + "jsonPath": ".spec.managedSecret.namespace" + }, + { + "name": "Secret Type", + "type": "string", + "jsonPath": ".spec.managedSecret.type" + }, + { + "name": "Age", + "type": "date", + "jsonPath": ".metadata.creationTimestamp" + } + ], + "schema": { + "openAPIV3Schema": { + "x-kubernetes-embedded-resource": true, + "description": "PassSecret is the schema for the PassOperator API.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values. More info:\n\nhttps://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\n", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated. In CamelCase. More info:\n\nhttps://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\n", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "PassSecretSpec defines the desired state of a PassSecret.", + "type": "object", + "properties": { + "encryptedData": { + "description": "Data to be contained in the secret.\n", + "type": "object", + "minProperties": 1, + "additionalProperties": { + "type": "string" + } + }, + "managedSecret": { + "description": "Configure the managed Kubernetes secret object's fields.", + "type": "object", + "properties": { + "name": { + "description": "Name of the Kubernetes Secret object to create.", + "type": "string" + }, + "namespace": { + "description": "Namespace in which to create the Kubernetes secret.", + "type": "string" + }, + "type": { + "description": "Kubernetes Secret type to create.", + "type": "string", + "default": "Opaque", + "enum": [ + "Opaque", + "kubernetes.io/service-account-token", + "kubernetes.io/dockercfg", + "kubernetes.io/dockerconfigjson", + "kubernetes.io/basic-auth", + "kubernetes.io/ssh-auth", + "kubernetes.io/tls", + "bootstrap.kubernetes.io/token" + ] + }, + "immutable": { + "description": "Optionally configure whether the destination secret should be immutable.\nThis will raise warnings in the operator's log output as the managed\nsecret will have to be deleted prior to the operator being able to\nupdate it. This is also a bit of an anti-pattern.\n", + "type": "boolean", + "default": false + } + }, + "required": [ + "name", + "namespace" + ] + } + }, + "required": [ + "encryptedData", + "managedSecret" + ] + }, + "status": { + "description": "Current state of the PassSecret on the Kubernetes cluster.", + "type": "object" + } + } + } + } + } + ] + } +} From 8a2a16f994d97f107774ab45de5a136da39d13ad Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 11:11:13 -0500 Subject: [PATCH 09/39] PASS-16: Fix CI --- .circleci/config.yml | 2 +- .circleci/helm.operator-crds.yml | 2 +- .circleci/helm.yml | 4 ++-- .circleci/src.yml | 2 +- helm/operator-crds/.helmignore | 1 + PassSecret.json => helm/operator-crds/_json/PassSecret.json | 0 6 files changed, 6 insertions(+), 5 deletions(-) rename PassSecret.json => helm/operator-crds/_json/PassSecret.json (100%) diff --git a/.circleci/config.yml b/.circleci/config.yml index 624e8bf..c60b028 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -5,7 +5,7 @@ setup: true orbs: dynamic: bjd2385/dynamic-continuation@3.8.1 - general: premiscale/general@dev:8bc653b0e1690e6e2562d16ebbd3218ead2bc9d6 + general: premiscale/general@1.1.0 slack: circleci/slack@4.12.5 diff --git a/.circleci/helm.operator-crds.yml b/.circleci/helm.operator-crds.yml index f3f642d..309f88a 100644 --- a/.circleci/helm.operator-crds.yml +++ b/.circleci/helm.operator-crds.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@dev:8bc653b0e1690e6e2562d16ebbd3218ead2bc9d6 + general: premiscale/general@1.1.0 workflows: diff --git a/.circleci/helm.yml b/.circleci/helm.yml index 15724fc..14ba7d2 100644 --- a/.circleci/helm.yml +++ b/.circleci/helm.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@dev:8bc653b0e1690e6e2562d16ebbd3218ead2bc9d6 + general: premiscale/general@1.1.0 workflows: @@ -13,7 +13,7 @@ workflows: - general/helm-test-kubesec: kubeconform-schema: >- - --schema-location https://raw.githubusercontent.com/premiscale/pass-operator/$CIRCLE_BRANCH/PassSecret.json + --schema-location https://raw.githubusercontent.com/premiscale/pass-operator/$CIRCLE_BRANCH/helm/operator-crds/_json/PassSecret.json name: kubesec - general/helm-test-kubelinter: diff --git a/.circleci/src.yml b/.circleci/src.yml index 41da3e8..87f7192 100644 --- a/.circleci/src.yml +++ b/.circleci/src.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@dev:8bc653b0e1690e6e2562d16ebbd3218ead2bc9d6 + general: premiscale/general@1.1.0 executors: diff --git a/helm/operator-crds/.helmignore b/helm/operator-crds/.helmignore index 0e8a0eb..b79edb7 100644 --- a/helm/operator-crds/.helmignore +++ b/helm/operator-crds/.helmignore @@ -21,3 +21,4 @@ .idea/ *.tmproj .vscode/ +_json/ \ No newline at end of file diff --git a/PassSecret.json b/helm/operator-crds/_json/PassSecret.json similarity index 100% rename from PassSecret.json rename to helm/operator-crds/_json/PassSecret.json From 4088a7fa191549f150dc243c11782027c1b0b2c7 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 11:14:40 -0500 Subject: [PATCH 10/39] PASS-16: Fix one kubelinter issue --- helm/operator/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml index baab1dc..0fc91f1 100644 --- a/helm/operator/values.yaml +++ b/helm/operator/values.yaml @@ -6,7 +6,7 @@ global: deployment: image: name: pass-operator - tag: latest + tag: ignore pullPolicy: Always resources: From db22c776beb4bef5e6447ed974d28c9eba8ef12a Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 12:55:42 -0500 Subject: [PATCH 11/39] PASS-16: fix runAsNonRoot, strides toward RO root filesystem --- helm/operator/templates/deployment.yaml | 11 +++++++++++ helm/operator/values.yaml | 7 +++++++ 2 files changed, 18 insertions(+) diff --git a/helm/operator/templates/deployment.yaml b/helm/operator/templates/deployment.yaml index 7c4f152..82d0aa8 100644 --- a/helm/operator/templates/deployment.yaml +++ b/helm/operator/templates/deployment.yaml @@ -45,6 +45,13 @@ spec: securityContext: {{- toYaml . | nindent 8 }} {{- end }} + volumes: + {{- with .Values.operator.git.volume }} + - name: pass + emptyDir: + medium: Memory + sizeLimit: {{ .sizeLimit }} + {{- end }} containers: ## Container v1 core (array) - name: {{ default .Values.deployment.name .Chart.Name }} @@ -61,6 +68,10 @@ spec: protocol: TCP {{- end }} {{- end }} + volumeMounts: + - name: pass + mountPath: /opt/pass-operator/.password-store/{{ .Values.operator.pass.subdirectory }} + readOnly: false env: # Operator - name: OPERATOR_INTERVAL diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml index 0fc91f1..3e31ef2 100644 --- a/helm/operator/values.yaml +++ b/helm/operator/values.yaml @@ -23,6 +23,9 @@ deployment: path: /healthz config: {} + podSecurityContext: + runAsNonRoot: true + operator: interval: 60 @@ -61,6 +64,10 @@ operator: branch: main url: "" + # Memory-based filesystem to store git repository. + volume: + sizeLimit: 20Mi + service: create: false From 7e9b1d81e56ac24e2675c1ae4e38b0fbde61fc1a Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 13:04:54 -0500 Subject: [PATCH 12/39] PASS-16: Mount gpg directory, also --- Dockerfile | 1 + bin/entrypoint.sh | 6 +++--- bin/ssh_config | 2 -- helm/operator/templates/deployment.yaml | 9 +++++++++ helm/operator/values.yaml | 3 +++ 5 files changed, 16 insertions(+), 5 deletions(-) delete mode 100644 bin/ssh_config diff --git a/Dockerfile b/Dockerfile index 0dec735..3b3c01c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,6 +41,7 @@ ENV PATH=${PATH}:/opt/pass-operator/.local/bin # Install and initialize PremiScale. RUN mkdir -p "$HOME"/.local/bin "$HOME"/.ssh \ + && printf "Host github.com\\n\\tStrictHostKeyChecking no\\n" > .ssh/config \ && pip install --upgrade pip \ && pip install --no-cache-dir --no-input --extra-index-url="${PYTHON_INDEX}" pass-operator=="${PYTHON_PACKAGE_VERSION}" diff --git a/bin/entrypoint.sh b/bin/entrypoint.sh index 4a55f88..44f622c 100755 --- a/bin/entrypoint.sh +++ b/bin/entrypoint.sh @@ -29,9 +29,9 @@ printf "%s" "$PASS_SSH_PRIVATE_KEY" | ssh-add - if [ -z "$PASS_GPG_PASSPHRASE" ]; then echo "$PASS_GPG_KEY" | gpg --dearmor | gpg --batch --import else - echo "$PASS_GPG_KEY" | gpg --dearmor > dearmored_key.gpg - echo "$PASS_GPG_PASSPHRASE" | gpg --batch --import dearmored_key.gpg - rm dearmored_key.gpg + echo "$PASS_GPG_KEY" | gpg --dearmor > .gnupg/dearmored_key.gpg + echo "$PASS_GPG_PASSPHRASE" | gpg --batch --import .gnupg/dearmored_key.gpg + rm .gnupg/dearmored_key.gpg fi # Initialize pass with the indicated directory and GPG key ID to decrypt secrets pulled from the Git repository. diff --git a/bin/ssh_config b/bin/ssh_config deleted file mode 100644 index c426c14..0000000 --- a/bin/ssh_config +++ /dev/null @@ -1,2 +0,0 @@ -Host github.com - StrictHostKeyChecking no \ No newline at end of file diff --git a/helm/operator/templates/deployment.yaml b/helm/operator/templates/deployment.yaml index 82d0aa8..d74ba9e 100644 --- a/helm/operator/templates/deployment.yaml +++ b/helm/operator/templates/deployment.yaml @@ -52,6 +52,12 @@ spec: medium: Memory sizeLimit: {{ .sizeLimit }} {{- end }} + {{- with .Values.operator.gpg.volume }} + - name: gpg + emptyDir: + medium: Memory + sizeLimit: {{ .sizeLimit }} + {{- end }} containers: ## Container v1 core (array) - name: {{ default .Values.deployment.name .Chart.Name }} @@ -72,6 +78,9 @@ spec: - name: pass mountPath: /opt/pass-operator/.password-store/{{ .Values.operator.pass.subdirectory }} readOnly: false + - name: gpg + mountPath: /opt/pass-operator/.gnupg/ + readOnly: false env: # Operator - name: OPERATOR_INTERVAL diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml index 3e31ef2..b93df64 100644 --- a/helm/operator/values.yaml +++ b/helm/operator/values.yaml @@ -60,6 +60,9 @@ operator: value: "" passphrase: "" + volume: + sizeLimit: 100Ki + git: branch: main url: "" From 10db1bd9f6f44c5ac8da2bba5ef158dee6de6891 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 13:07:06 -0500 Subject: [PATCH 13/39] PASS-16: Update readOnlyRootFilesystem --- helm/operator/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml index b93df64..c5b5728 100644 --- a/helm/operator/values.yaml +++ b/helm/operator/values.yaml @@ -25,6 +25,7 @@ deployment: podSecurityContext: runAsNonRoot: true + readOnlyRootFilesystem: true operator: From b4d346722b6f56f3a00247cdddca5c4335e7adaf Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 13:08:44 -0500 Subject: [PATCH 14/39] PASS-16: fix ssh_config since it's deleted --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3b3c01c..6aeabca 100644 --- a/Dockerfile +++ b/Dockerfile @@ -42,6 +42,7 @@ ENV PATH=${PATH}:/opt/pass-operator/.local/bin # Install and initialize PremiScale. RUN mkdir -p "$HOME"/.local/bin "$HOME"/.ssh \ && printf "Host github.com\\n\\tStrictHostKeyChecking no\\n" > .ssh/config \ + && chmod 400 .ssh/config \ && pip install --upgrade pip \ && pip install --no-cache-dir --no-input --extra-index-url="${PYTHON_INDEX}" pass-operator=="${PYTHON_PACKAGE_VERSION}" @@ -59,6 +60,5 @@ ENV OPERATOR_INTERVAL=60 \ PASS_SSH_PRIVATE_KEY="" COPY bin/entrypoint.sh /entrypoint.sh -COPY --chown=operator:operator --chmod=400 bin/ssh_config /opt/pass-operator/.ssh/config ENTRYPOINT [ "/tini", "--", "/entrypoint.sh" ] \ No newline at end of file From 75922d34b3b78014199db0d96105ed5a16184a1f Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 13:13:34 -0500 Subject: [PATCH 15/39] PASS-16: bump hooks v; fix securityContext on containers --- .pre-commit-config.yaml | 14 +++++++------- Dockerfile | 4 ++-- LICENSE | 2 +- helm/operator/templates/deployment.yaml | 2 +- helm/operator/values.yaml | 2 ++ 5 files changed, 13 insertions(+), 11 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5910503..a2345d5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -13,7 +13,7 @@ repos: - Dockerfile - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.5.0 hooks: - id: trailing-whitespace - id: check-added-large-files @@ -23,7 +23,7 @@ repos: - id: mixed-line-ending - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.3.0 + rev: v1.8.0 hooks: - id: mypy args: @@ -39,17 +39,17 @@ repos: - -x - repo: https://github.com/bjd2385/dynamic-continuation-orb - rev: v3.6.10 + rev: v3.8.1 hooks: - id: circleci-config-validate - repo: https://github.com/gruntwork-io/pre-commit - rev: v0.1.22 + rev: v0.1.23 hooks: - id: helmlint - repo: https://github.com/python-poetry/poetry - rev: 1.5.0 + rev: 1.7.0 hooks: - id: poetry-check - id: poetry-lock @@ -57,7 +57,7 @@ repos: args: ["-f", "requirements.txt", "-o", "requirements.txt"] - repo: https://github.com/PyCQA/pylint - rev: v3.0.0a6 + rev: v3.0.3 hooks: - id: pylint args: @@ -65,7 +65,7 @@ repos: - src/ - repo: https://github.com/abravalheri/validate-pyproject - rev: v0.13 + rev: v0.15 hooks: - id: validate-pyproject diff --git a/Dockerfile b/Dockerfile index 6aeabca..fa903e6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ ARG TAG=3.10.11 FROM ${IMAGE}:${TAG} # https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys -LABEL org.opencontainers.image.description "© PremiScale, Inc. 2023" +LABEL org.opencontainers.image.description "© PremiScale, Inc. 2024" LABEL org.opencontainers.image.licenses "GPLv3" LABEL org.opencontainers.image.authors "Emma Doyle " LABEL org.opencontainers.image.documentation "https://premiscale.com" @@ -39,7 +39,7 @@ ARG PYTHON_PACKAGE_VERSION=0.0.1 ENV PATH=${PATH}:/opt/pass-operator/.local/bin -# Install and initialize PremiScale. +# Set up SSH and install the pass-operator package from my private registry. RUN mkdir -p "$HOME"/.local/bin "$HOME"/.ssh \ && printf "Host github.com\\n\\tStrictHostKeyChecking no\\n" > .ssh/config \ && chmod 400 .ssh/config \ diff --git a/LICENSE b/LICENSE index 12333b3..4d68101 100644 --- a/LICENSE +++ b/LICENSE @@ -1,7 +1,7 @@ GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 - Copyright (C) 2023 PremiScale, Inc. + Copyright (C) 2024 PremiScale, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. diff --git a/helm/operator/templates/deployment.yaml b/helm/operator/templates/deployment.yaml index d74ba9e..a56bee0 100644 --- a/helm/operator/templates/deployment.yaml +++ b/helm/operator/templates/deployment.yaml @@ -143,7 +143,7 @@ spec: value: {{ .value }} {{- end }} {{- end }} - {{- with .Values.deployment.securityContext }} + {{- with .Values.deployment.containerSecurityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml index c5b5728..12fe14f 100644 --- a/helm/operator/values.yaml +++ b/helm/operator/values.yaml @@ -25,6 +25,8 @@ deployment: podSecurityContext: runAsNonRoot: true + + containerSecurityContext: readOnlyRootFilesystem: true From f25d8bd6b3d2a6140eac47bd0b02de6d9d51e29a Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 13:21:20 -0500 Subject: [PATCH 16/39] PASS-16: Bump general orb with bugfix --- .circleci/config.yml | 2 +- .circleci/helm.operator-crds.yml | 2 +- .circleci/helm.yml | 2 +- .circleci/src.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index c60b028..0b5ad4e 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -5,7 +5,7 @@ setup: true orbs: dynamic: bjd2385/dynamic-continuation@3.8.1 - general: premiscale/general@1.1.0 + general: premiscale/general@1.1.1 slack: circleci/slack@4.12.5 diff --git a/.circleci/helm.operator-crds.yml b/.circleci/helm.operator-crds.yml index 309f88a..116ffbd 100644 --- a/.circleci/helm.operator-crds.yml +++ b/.circleci/helm.operator-crds.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@1.1.0 + general: premiscale/general@1.1.1 workflows: diff --git a/.circleci/helm.yml b/.circleci/helm.yml index 14ba7d2..623f6d7 100644 --- a/.circleci/helm.yml +++ b/.circleci/helm.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@1.1.0 + general: premiscale/general@1.1.1 workflows: diff --git a/.circleci/src.yml b/.circleci/src.yml index 87f7192..7f2bf8b 100644 --- a/.circleci/src.yml +++ b/.circleci/src.yml @@ -2,7 +2,7 @@ version: 2.1 orbs: - general: premiscale/general@1.1.0 + general: premiscale/general@1.1.1 executors: From b240a9a4709bc5fd0432177038b34f390f97f548 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 13:26:02 -0500 Subject: [PATCH 17/39] PASS-16: Update user to uid --- Dockerfile | 2 +- helm/operator/values.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index fa903e6..7ea1a1f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,7 +23,7 @@ RUN apt update \ && rm -rf /var/apt/lists/* # Add 'operator' user and group. -RUN useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 1001 operator +RUN useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 100001 operator WORKDIR /opt/pass-operator diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml index 12fe14f..4942316 100644 --- a/helm/operator/values.yaml +++ b/helm/operator/values.yaml @@ -28,6 +28,7 @@ deployment: containerSecurityContext: readOnlyRootFilesystem: true + runAsUser: 100001 operator: From c58fd990da3639f33fe575285af66c1b66231195 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 13:31:13 -0500 Subject: [PATCH 18/39] PASS-16: Add another mountpoint for ssh --- helm/operator/templates/deployment.yaml | 9 +++++++++ helm/operator/values.yaml | 3 +++ 2 files changed, 12 insertions(+) diff --git a/helm/operator/templates/deployment.yaml b/helm/operator/templates/deployment.yaml index a56bee0..57a158d 100644 --- a/helm/operator/templates/deployment.yaml +++ b/helm/operator/templates/deployment.yaml @@ -58,6 +58,12 @@ spec: medium: Memory sizeLimit: {{ .sizeLimit }} {{- end }} + {{- with .Values.operator.ssh.volume }} + - name: ssh + emptyDir: + medium: Memory + sizeLimit: {{ .sizeLimit }} + {{- end }} containers: ## Container v1 core (array) - name: {{ default .Values.deployment.name .Chart.Name }} @@ -81,6 +87,9 @@ spec: - name: gpg mountPath: /opt/pass-operator/.gnupg/ readOnly: false + - name: ssh + mountPath: /opt/pass-operator/.ssh/ + readOnly: false env: # Operator - name: OPERATOR_INTERVAL diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml index 4942316..fe4fc7d 100644 --- a/helm/operator/values.yaml +++ b/helm/operator/values.yaml @@ -54,6 +54,9 @@ operator: # raw string of the secret key b64enc'd. value: "" + volume: + sizeLimit: 256Ki + gpg: createSecret: false From 2d60b0a30a8eb4159f1918638ad7e18b36ae6187 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 13:38:07 -0500 Subject: [PATCH 19/39] PASS-16: fix space --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7ea1a1f..6b7a3d6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,7 +41,7 @@ ENV PATH=${PATH}:/opt/pass-operator/.local/bin # Set up SSH and install the pass-operator package from my private registry. RUN mkdir -p "$HOME"/.local/bin "$HOME"/.ssh \ - && printf "Host github.com\\n\\tStrictHostKeyChecking no\\n" > .ssh/config \ + && printf "Host github.com\\n StrictHostKeyChecking no\\n" > .ssh/config \ && chmod 400 .ssh/config \ && pip install --upgrade pip \ && pip install --no-cache-dir --no-input --extra-index-url="${PYTHON_INDEX}" pass-operator=="${PYTHON_PACKAGE_VERSION}" From 6874a187483cd084938dab7692cb2ba15eab9615 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 13:44:47 -0500 Subject: [PATCH 20/39] PASS-16: Fix overwriting mountpoints --- Dockerfile | 2 -- bin/entrypoint.sh | 4 ++++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6b7a3d6..e4d430d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,8 +41,6 @@ ENV PATH=${PATH}:/opt/pass-operator/.local/bin # Set up SSH and install the pass-operator package from my private registry. RUN mkdir -p "$HOME"/.local/bin "$HOME"/.ssh \ - && printf "Host github.com\\n StrictHostKeyChecking no\\n" > .ssh/config \ - && chmod 400 .ssh/config \ && pip install --upgrade pip \ && pip install --no-cache-dir --no-input --extra-index-url="${PYTHON_INDEX}" pass-operator=="${PYTHON_PACKAGE_VERSION}" diff --git a/bin/entrypoint.sh b/bin/entrypoint.sh index 44f622c..0b6c5bf 100755 --- a/bin/entrypoint.sh +++ b/bin/entrypoint.sh @@ -24,6 +24,10 @@ fi eval "$(ssh-agent -s)" printf "%s" "$PASS_SSH_PRIVATE_KEY" | ssh-add - +# Set up ~/.ssh/config to disable strict host key checking on github.com. +printf "Host github.com\\n StrictHostKeyChecking no\\n" > ~/.ssh/config +chmod 400 ~/.ssh/config + # Import private gpg key for secrets' decryption. # Generate the contents of this env var with 'gpg --armor --export-private-key | base64 | pbcopy' if [ -z "$PASS_GPG_PASSPHRASE" ]; then From 6cba7e8832f86d7febbe4b89537f5567c7cfe6ad Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 13:49:48 -0500 Subject: [PATCH 21/39] PASS-16: fix how groups and users are created --- Dockerfile | 3 ++- helm/operator/values.yaml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index e4d430d..f6c0a8c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,7 +23,8 @@ RUN apt update \ && rm -rf /var/apt/lists/* # Add 'operator' user and group. -RUN useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 100001 operator +RUN groupadd -r -g 975668 operator \ + useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 975668 operator WORKDIR /opt/pass-operator diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml index fe4fc7d..cec12c2 100644 --- a/helm/operator/values.yaml +++ b/helm/operator/values.yaml @@ -28,7 +28,8 @@ deployment: containerSecurityContext: readOnlyRootFilesystem: true - runAsUser: 100001 + runAsUser: 975668 + fsGroup: 975668 operator: From 9e92dd70a49db986ca9ad29aff6bf28b2b0b5d6f Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 13:52:54 -0500 Subject: [PATCH 22/39] PASS-16: && --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f6c0a8c..37ee366 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,7 +24,7 @@ RUN apt update \ # Add 'operator' user and group. RUN groupadd -r -g 975668 operator \ - useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 975668 operator + && useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 975668 operator WORKDIR /opt/pass-operator From 592215be92abf16ced354b89e2cc79efc70bcccc Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 13:55:38 -0500 Subject: [PATCH 23/39] PASS-16: Fix From 8d835d492acca61a5856c39b1baa2ea9482ff465 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 13:55:44 -0500 Subject: [PATCH 24/39] PASS-16: Fix dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 37ee366..c0e1b47 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,7 +24,7 @@ RUN apt update \ # Add 'operator' user and group. RUN groupadd -r -g 975668 operator \ - && useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 975668 operator + && useradd -rm -d /opt/pass-operator -s /bin/bash -u 975668 operator WORKDIR /opt/pass-operator From bf750d96bdd5f5ded5d621cc214eb9d86a4099c5 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 14:00:18 -0500 Subject: [PATCH 25/39] PASS-16: fix fsGroup -> podSecurityContext --- Dockerfile | 2 +- helm/operator/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index c0e1b47..37ee366 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,7 +24,7 @@ RUN apt update \ # Add 'operator' user and group. RUN groupadd -r -g 975668 operator \ - && useradd -rm -d /opt/pass-operator -s /bin/bash -u 975668 operator + && useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 975668 operator WORKDIR /opt/pass-operator diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml index cec12c2..8af460e 100644 --- a/helm/operator/values.yaml +++ b/helm/operator/values.yaml @@ -25,11 +25,11 @@ deployment: podSecurityContext: runAsNonRoot: true + fsGroup: 975668 containerSecurityContext: readOnlyRootFilesystem: true runAsUser: 975668 - fsGroup: 975668 operator: From 0ee9f98ac7568e56bea12ee30d8931386361e2c4 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 14:02:16 -0500 Subject: [PATCH 26/39] PASS-16: Switch shell of Dockerfile --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 37ee366..84f21ae 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,6 +3,8 @@ ARG TAG=3.10.11 FROM ${IMAGE}:${TAG} +SHELL [ "/bin/bash" ] + # https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys LABEL org.opencontainers.image.description "© PremiScale, Inc. 2024" LABEL org.opencontainers.image.licenses "GPLv3" From 3fbbbe1490a5518b50001ddde0c028c927982e97 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 14:04:06 -0500 Subject: [PATCH 27/39] PASS-16: Debug --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 84f21ae..804e39b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,7 +25,9 @@ RUN apt update \ && rm -rf /var/apt/lists/* # Add 'operator' user and group. -RUN groupadd -r -g 975668 operator \ +RUN cat /etc/group \ + && groupadd -r -g 975668 operator \ + cat /etc/group \ && useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 975668 operator WORKDIR /opt/pass-operator From 38c13fdbdcb8c76edfa5656d770a208560c9acfe Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 14:09:37 -0500 Subject: [PATCH 28/39] PASS-16: Fix shell --- Dockerfile | 2 +- helm/operator/templates/deployment.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 804e39b..d13615d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ ARG TAG=3.10.11 FROM ${IMAGE}:${TAG} -SHELL [ "/bin/bash" ] +SHELL [ "/bin/bash", "-c" ] # https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys LABEL org.opencontainers.image.description "© PremiScale, Inc. 2024" diff --git a/helm/operator/templates/deployment.yaml b/helm/operator/templates/deployment.yaml index 57a158d..33bad75 100644 --- a/helm/operator/templates/deployment.yaml +++ b/helm/operator/templates/deployment.yaml @@ -32,6 +32,7 @@ spec: labels: {{ include "pass-operator.selectorLabels" . | nindent 8 }} spec: ## PodSpec v1core + automountServiceAccountToken: false {{- if gt (len ((((.Values).deployment).pullSecrets) | default "")) 0 }} imagePullSecrets: {{- range $secret := .Values.deployment.pullSecrets }} From bb5cab03a9d5fb1515ee0da8c7b67d9737ae08e3 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 14:14:16 -0500 Subject: [PATCH 29/39] PASS-16: Forgot && --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index d13615d..24718ca 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,7 +27,7 @@ RUN apt update \ # Add 'operator' user and group. RUN cat /etc/group \ && groupadd -r -g 975668 operator \ - cat /etc/group \ + && cat /etc/group \ && useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 975668 operator WORKDIR /opt/pass-operator From aca223239586309df88d91418d23065cb9f0305e Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 14:17:21 -0500 Subject: [PATCH 30/39] PASS-16: Succeed even if it exists --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 24718ca..9aa869e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,8 +25,7 @@ RUN apt update \ && rm -rf /var/apt/lists/* # Add 'operator' user and group. -RUN cat /etc/group \ - && groupadd -r -g 975668 operator \ +RUN groupadd -r -f -g 975668 operator \ && cat /etc/group \ && useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 975668 operator From 1439eeaf38c6cce8b3209ccaab00647ca6fc4dbb Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 14:22:16 -0500 Subject: [PATCH 31/39] PASS-16: Fix sa token automount --- helm/operator/templates/deployment.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/helm/operator/templates/deployment.yaml b/helm/operator/templates/deployment.yaml index 33bad75..57a158d 100644 --- a/helm/operator/templates/deployment.yaml +++ b/helm/operator/templates/deployment.yaml @@ -32,7 +32,6 @@ spec: labels: {{ include "pass-operator.selectorLabels" . | nindent 8 }} spec: ## PodSpec v1core - automountServiceAccountToken: false {{- if gt (len ((((.Values).deployment).pullSecrets) | default "")) 0 }} imagePullSecrets: {{- range $secret := .Values.deployment.pullSecrets }} From 3612552daaf3c12d1ada1b25b7da107548a4057e Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 14:34:43 -0500 Subject: [PATCH 32/39] PASS-16: group number too high --- Dockerfile | 4 ++-- helm/operator/templates/deployment.yaml | 3 +-- helm/operator/values.yaml | 6 +++--- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9aa869e..46696b6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,9 +25,9 @@ RUN apt update \ && rm -rf /var/apt/lists/* # Add 'operator' user and group. -RUN groupadd -r -f -g 975668 operator \ +RUN groupadd -r -f -g 9756 operator \ && cat /etc/group \ - && useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 975668 operator + && useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 9756 operator WORKDIR /opt/pass-operator diff --git a/helm/operator/templates/deployment.yaml b/helm/operator/templates/deployment.yaml index 57a158d..0170810 100644 --- a/helm/operator/templates/deployment.yaml +++ b/helm/operator/templates/deployment.yaml @@ -69,8 +69,7 @@ spec: - name: {{ default .Values.deployment.name .Chart.Name }} args: [ --log-stdout, - --log-level, {{ .Values.operator.log.level }}, - --log-file, {{ .Values.operator.log.location }} + --log-level, {{ .Values.operator.log.level }} ] {{- with .Values.deployment.livenessProbe }} {{- if .enabled }} diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml index 8af460e..ccf9ae7 100644 --- a/helm/operator/values.yaml +++ b/helm/operator/values.yaml @@ -25,11 +25,12 @@ deployment: podSecurityContext: runAsNonRoot: true - fsGroup: 975668 + fsGroupChangePolicy: OnRootMismatch + fsGroup: 9756 containerSecurityContext: readOnlyRootFilesystem: true - runAsUser: 975668 + runAsUser: 9756 operator: @@ -43,7 +44,6 @@ operator: log: level: info - location: /opt/pass-operator/runtime.log ssh: # If create is false, value is not used; users may bring their own. From 45ccef69637f13f5abcc25c12310ea6b2aa84d12 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 14:43:56 -0500 Subject: [PATCH 33/39] PASS-16: Further updates --- Dockerfile | 2 +- helm/operator/values.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 46696b6..4e46ec5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,7 +44,7 @@ ARG PYTHON_PACKAGE_VERSION=0.0.1 ENV PATH=${PATH}:/opt/pass-operator/.local/bin # Set up SSH and install the pass-operator package from my private registry. -RUN mkdir -p "$HOME"/.local/bin "$HOME"/.ssh \ +RUN mkdir -p "$HOME"/.local/bin \ && pip install --upgrade pip \ && pip install --no-cache-dir --no-input --extra-index-url="${PYTHON_INDEX}" pass-operator=="${PYTHON_PACKAGE_VERSION}" diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml index ccf9ae7..55d3713 100644 --- a/helm/operator/values.yaml +++ b/helm/operator/values.yaml @@ -30,7 +30,9 @@ deployment: containerSecurityContext: readOnlyRootFilesystem: true + allowPrivilegeEscalation: false runAsUser: 9756 + runAsGroup: 9756 operator: From 3660cc4a5d86b54bfeda453afc2dd7c482973c6a Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 14:57:27 -0500 Subject: [PATCH 34/39] PASS-16: Undo securityContexts and mounts; future work --- Dockerfile | 4 +--- bin/entrypoint.sh | 1 + helm/operator/templates/deployment.yaml | 29 ------------------------- helm/operator/values.yaml | 17 ++------------- 4 files changed, 4 insertions(+), 47 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4e46ec5..72b140d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,9 +25,7 @@ RUN apt update \ && rm -rf /var/apt/lists/* # Add 'operator' user and group. -RUN groupadd -r -f -g 9756 operator \ - && cat /etc/group \ - && useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 9756 operator +RUN useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 10001 operator WORKDIR /opt/pass-operator diff --git a/bin/entrypoint.sh b/bin/entrypoint.sh index 0b6c5bf..aa06233 100755 --- a/bin/entrypoint.sh +++ b/bin/entrypoint.sh @@ -25,6 +25,7 @@ eval "$(ssh-agent -s)" printf "%s" "$PASS_SSH_PRIVATE_KEY" | ssh-add - # Set up ~/.ssh/config to disable strict host key checking on github.com. +mkdir .ssh/ printf "Host github.com\\n StrictHostKeyChecking no\\n" > ~/.ssh/config chmod 400 ~/.ssh/config diff --git a/helm/operator/templates/deployment.yaml b/helm/operator/templates/deployment.yaml index 0170810..fed26fd 100644 --- a/helm/operator/templates/deployment.yaml +++ b/helm/operator/templates/deployment.yaml @@ -45,25 +45,6 @@ spec: securityContext: {{- toYaml . | nindent 8 }} {{- end }} - volumes: - {{- with .Values.operator.git.volume }} - - name: pass - emptyDir: - medium: Memory - sizeLimit: {{ .sizeLimit }} - {{- end }} - {{- with .Values.operator.gpg.volume }} - - name: gpg - emptyDir: - medium: Memory - sizeLimit: {{ .sizeLimit }} - {{- end }} - {{- with .Values.operator.ssh.volume }} - - name: ssh - emptyDir: - medium: Memory - sizeLimit: {{ .sizeLimit }} - {{- end }} containers: ## Container v1 core (array) - name: {{ default .Values.deployment.name .Chart.Name }} @@ -79,16 +60,6 @@ spec: protocol: TCP {{- end }} {{- end }} - volumeMounts: - - name: pass - mountPath: /opt/pass-operator/.password-store/{{ .Values.operator.pass.subdirectory }} - readOnly: false - - name: gpg - mountPath: /opt/pass-operator/.gnupg/ - readOnly: false - - name: ssh - mountPath: /opt/pass-operator/.ssh/ - readOnly: false env: # Operator - name: OPERATOR_INTERVAL diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml index 55d3713..df2208b 100644 --- a/helm/operator/values.yaml +++ b/helm/operator/values.yaml @@ -25,14 +25,11 @@ deployment: podSecurityContext: runAsNonRoot: true - fsGroupChangePolicy: OnRootMismatch - fsGroup: 9756 containerSecurityContext: - readOnlyRootFilesystem: true + # TODO for a future sprint. + # readOnlyRootFilesystem: true allowPrivilegeEscalation: false - runAsUser: 9756 - runAsGroup: 9756 operator: @@ -57,9 +54,6 @@ operator: # raw string of the secret key b64enc'd. value: "" - volume: - sizeLimit: 256Ki - gpg: createSecret: false @@ -70,17 +64,10 @@ operator: value: "" passphrase: "" - volume: - sizeLimit: 100Ki - git: branch: main url: "" - # Memory-based filesystem to store git repository. - volume: - sizeLimit: 20Mi - service: create: false From d7f354efe7e291d7c593ec6e5c7e5a7f242ca7ac Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 15:00:16 -0500 Subject: [PATCH 35/39] PASS-16: exclude failing test --- .circleci/helm.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.circleci/helm.yml b/.circleci/helm.yml index 623f6d7..8da915d 100644 --- a/.circleci/helm.yml +++ b/.circleci/helm.yml @@ -18,6 +18,8 @@ workflows: - general/helm-test-kubelinter: name: kubelinter + # TODO: re-enable this exclude + exclude: no-read-only-root-fs - general/helm-test-deprecated: name: deprecated api \ No newline at end of file From bbeae64a63689a979c68cb955234c1befed14a22 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 15:01:09 -0500 Subject: [PATCH 36/39] PASS-16: fix user name --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 72b140d..ca812d6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,7 +30,7 @@ RUN useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 10001 operator WORKDIR /opt/pass-operator RUN chown -R operator:operator . -USER operator +USER 10001 ARG PYTHON_USERNAME ARG PYTHON_PASSWORD From 93a2db31175b63d282a49dc249d0be25bf31fee5 Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 15:09:18 -0500 Subject: [PATCH 37/39] PASS-16: Fix indices --- src/passoperator/operator.py | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/passoperator/operator.py b/src/passoperator/operator.py index 39e3215..87f3712 100644 --- a/src/passoperator/operator.py +++ b/src/passoperator/operator.py @@ -87,15 +87,15 @@ def update(body: kopf.Body, **_: Any) -> None: stringData = dict() - for secret in encryptedData: - secretValue = encryptedData[secret] + for secretKey in encryptedData: + secretPath = encryptedData[secretKey] if (decryptedSecret := decrypt( - Path(f'~/.password-store/{PASS_DIRECTORY}/{secretValue}').expanduser(), + Path(f'~/.password-store/{PASS_DIRECTORY}/{secretPath}').expanduser(), passphrase=PASS_GPG_PASSPHRASE )): - stringData[secret] = decryptedSecret + stringData[secretKey] = decryptedSecret else: - log.error(f'Could not decrypt contents of secret {secret["key"]} with path {secret["path"]}') + log.error(f'Could not decrypt contents of PassSecret {passSecretName} with path {secretPath}') raise kopf.PermanentError() body = client.V1Secret( @@ -139,15 +139,15 @@ def create(body: kopf.Body, **_: Any) -> None: stringData = dict() - for secret in encryptedData: - secretValue = encryptedData[secret] + for secretKey in encryptedData: + secretPath = encryptedData[secretKey] if (decryptedSecret := decrypt( - Path(f'~/.password-store/{PASS_DIRECTORY}/{secretValue}').expanduser(), + Path(f'~/.password-store/{PASS_DIRECTORY}/{secretPath}').expanduser(), passphrase=PASS_GPG_PASSPHRASE )): - stringData[secret] = decryptedSecret + stringData[secretKey] = decryptedSecret else: - log.error(f'Could not decrypt contents of secret {secret["key"]} with path {secret["path"]}') + log.error(f'Could not decrypt contents of PassSecret {passSecretName} with path {secretPath}') raise kopf.PermanentError() body = client.V1Secret( From ced477da8b779418118c6393ae5250d6d15ea51a Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 15:12:53 -0500 Subject: [PATCH 38/39] PASS-16: Centralize directory creation --- Dockerfile | 2 +- bin/entrypoint.sh | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index ca812d6..9bb019d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -42,7 +42,7 @@ ARG PYTHON_PACKAGE_VERSION=0.0.1 ENV PATH=${PATH}:/opt/pass-operator/.local/bin # Set up SSH and install the pass-operator package from my private registry. -RUN mkdir -p "$HOME"/.local/bin \ +RUN mkdir -p "$HOME"/.local/bin "$HOME"/.ssh "$HOME"/.gnupg \ && pip install --upgrade pip \ && pip install --no-cache-dir --no-input --extra-index-url="${PYTHON_INDEX}" pass-operator=="${PYTHON_PACKAGE_VERSION}" diff --git a/bin/entrypoint.sh b/bin/entrypoint.sh index aa06233..0b6c5bf 100755 --- a/bin/entrypoint.sh +++ b/bin/entrypoint.sh @@ -25,7 +25,6 @@ eval "$(ssh-agent -s)" printf "%s" "$PASS_SSH_PRIVATE_KEY" | ssh-add - # Set up ~/.ssh/config to disable strict host key checking on github.com. -mkdir .ssh/ printf "Host github.com\\n StrictHostKeyChecking no\\n" > ~/.ssh/config chmod 400 ~/.ssh/config From 577b25a60c5666e08673e49bf50d6fe2eac69d2b Mon Sep 17 00:00:00 2001 From: Emma Doyle Date: Tue, 23 Jan 2024 15:16:57 -0500 Subject: [PATCH 39/39] PASS-16: Fix permissions issue --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 9bb019d..b7a5b51 100644 --- a/Dockerfile +++ b/Dockerfile @@ -43,6 +43,7 @@ ENV PATH=${PATH}:/opt/pass-operator/.local/bin # Set up SSH and install the pass-operator package from my private registry. RUN mkdir -p "$HOME"/.local/bin "$HOME"/.ssh "$HOME"/.gnupg \ + && chmod 700 "$HOME"/.gnupg \ && pip install --upgrade pip \ && pip install --no-cache-dir --no-input --extra-index-url="${PYTHON_INDEX}" pass-operator=="${PYTHON_PACKAGE_VERSION}"