Skip to content

Commit

Permalink
fix-e2e-test-clone: rename, fix e2e env cloning, decrypted PassSecret…
Browse files Browse the repository at this point in the history 
… conversion (#135)

* fix-e2e-test-clone: rename, fix e2e env cloning, decrypted PassSecret
conversion
  • Loading branch information
@emmeowzing
emmeowzing authored May 30, 2024
1 parent f14e155 commit a21b808
Show file tree
Hide file tree
Showing 22 changed files with 547 additions and 297 deletions.
2 changes: 1 addition & 1 deletion .github/settings.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ _extends: .github

repository:
name: pass-operator
description: A kubernetes operator that syncs and decrypts secrets from pass git repositories
description: A Kubernetes operator that syncs and decrypts secrets from pass store git repositories
homepage: https://github.com/premiscale/pass-operator

# A comma-separated list of topics to set on the repository
Expand Down
6 changes: 3 additions & 3 deletions helm/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Operator and supporting Helm charts

- [`operator`](https://github.com/premiscale/pass-operator/tree/master/helm/operator) is the chart for deploying the Pass store operator
- [`operator-crds`](https://github.com/premiscale/pass-operator/tree/master/helm/operator-crds) is the chart for deploying the Pass store operator's custom resource definitions (CRDs)
- [`operator-e2e`](https://github.com/premiscale/pass-operator/tree/master/helm/operator-e2e) is the a for e2e-testing the operator and its CRDs.
- [`operator`](https://github.com/premiscale/pass-operator/tree/master/helm/operator) is the chart for deploying the pass store operator
- [`operator-crds`](https://github.com/premiscale/pass-operator/tree/master/helm/operator-crds) is the chart for deploying the pass store operator's custom resource definitions (CRDs)
- [`operator-e2e`](https://github.com/premiscale/pass-operator/tree/master/helm/operator-e2e) is a chart for e2e-testing the operator and its CRDs. Unless you're a developer, you won't need to use this Helm chart.
4 changes: 2 additions & 2 deletions helm/operator-crds/_json/PassSecret.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,9 @@
"type": "object",
"properties": {
"encryptedData": {
"description": "Data to be contained in the secret.\n",
"description": "Data to be contained in the secret. Can be as few as zero key-value pairs, since the K8s API accepts Secrets with no data.\n",
"type": "object",
"minProperties": 1,
"minProperties": 0,
"additionalProperties": {
"type": "string"
}
Expand Down
4 changes: 2 additions & 2 deletions helm/operator-crds/templates/PassSecret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,9 @@ spec:
properties:
encryptedData:
description: |+
Data to be contained in the secret.
Data to be contained in the secret. Can be as few as zero key-value pairs, since the K8s API accepts Secrets with no data.
type: object
minProperties: 1
minProperties: 0
# I tried to get patternProperties to work (1/20/24), but my control plane insisted it was a forbidden field.
# https://github.com/kubernetes/kubernetes/issues/59485#issuecomment-366600460
# Using the work-around I've found in Bitnami's SealedSecrets CRD for now ~
Expand Down
20 changes: 10 additions & 10 deletions helm/operator-e2e/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,16 @@ interface to installing this chart and others in a local e2e testing environment

### E2E Deployment

| Name | Description | Value |
| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------- |
| `deployment.pullSecrets` | A list of pull secret names. These names are automatically mapped to key: secretname in the imagePullSecrets field. | `[]` |
| `deployment.image.name` | The name of the image.## @param deployment.image.name [string, default: pass-operator] The name of the image. | `pass-operator` |
| `deployment.image.tag` | The tag of the image. The default is "ignore" to ensure users provide a tag. | `ignore` |
| `deployment.image.pullPolicy` | The pull policy of the image. | `Always` |
| `deployment.resources` | Set resources for the pod. | `{}` |
| `deployment.livenessProbe` | Configure the liveness probe for the pod. The defaults are set to check that SSHd is listening on TCP port 22. | `{}` |
| `deployment.podSecurityContext` | Configure the security context for the pod. | `{}` |
| `deployment.containerSecurityContext` | Configure the security context for the container. | `{}` |
| Name | Description | Value |
| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ------------------- |
| `deployment.pullSecrets` | A list of pull secret names. These names are automatically mapped to key: secretname in the imagePullSecrets field. | `[]` |
| `deployment.image.name` | The name of the image.## @param deployment.image.name [string, default: pass-operator] The name of the image. | `pass-operator-e2e` |
| `deployment.image.tag` | The tag of the image. The default is "ignore" to ensure users provide a tag. | `ignore` |
| `deployment.image.pullPolicy` | The pull policy of the image. | `Always` |
| `deployment.resources` | Set resources for the pod. | `{}` |
| `deployment.livenessProbe` | Configure the liveness probe for the pod. The defaults are set to check that SSHd is listening on TCP port 22. | `{}` |
| `deployment.podSecurityContext` | Configure the security context for the pod. | `{}` |
| `deployment.containerSecurityContext` | Configure the security context for the container. | `{}` |

### Operator Configuration

Expand Down
2 changes: 1 addition & 1 deletion helm/operator-e2e/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
"name": {
"type": "string",
"description": "The name of the image.## @param deployment.image.name [string, default: pass-operator] The name of the image.",
"default": "pass-operator"
"default": "pass-operator-e2e"
},
"tag": {
"type": "string",
Expand Down
2 changes: 1 addition & 1 deletion helm/operator-e2e/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ deployment:
pullSecrets: []

image:
## @param deployment.image.name [string, default: pass-operator] The name of the image.## @param deployment.image.name [string, default: pass-operator] The name of the image.
## @param deployment.image.name [string, default: pass-operator-e2e] The name of the image.## @param deployment.image.name [string, default: pass-operator] The name of the image.
name: pass-operator-e2e
## @param deployment.image.tag [string, default: ignore] The tag of the image. The default is "ignore" to ensure users provide a tag.
tag: ignore
Expand Down
2 changes: 1 addition & 1 deletion helm/operator/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
name: pass-operator
description: A kubernetes operator that syncs and decrypts secrets from password store (https://www.passwordstore.org/) git repositories.
description: A Kubernetes operator that syncs and decrypts secrets from password store (https://www.passwordstore.org/) git repositories.
type: application
version: 1.0.0
25 changes: 13 additions & 12 deletions helm/operator/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,24 +162,24 @@ helm upgrade --install password-store-operator helm/operator/ --namespace passwo
### Operator Deployment
| Name | Description | Value |
| -------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | --------------- |
| `deployment.pullSecrets` | A list of pull secret names. These names are automatically mapped to key: secretname in the imagePullSecrets field. | `[]` |
| `deployment.image.name` | The name of the image. | `pass-operator` |
| `deployment.image.tag` | The tag of the image. The default is "ignore" to ensure users provide a tag. | `ignore` |
| `deployment.image.pullPolicy` | The pull policy of the image. | `Always` |
| `deployment.resources` | Set resources for the pod. | `{}` |
| `deployment.livenessProbe` | Configure the liveness probe for the pod. The defaults are set to check the /healthz endpoint on port 8080, which is provided by Kopf. | `{}` |
| `deployment.podSecurityContext` | Configure the security context for the pod. | `{}` |
| `deployment.podSecurityContext.runAsNonRoot` | If true, the pod is required to run as a non-root user. | `true` |
| `deployment.containerSecurityContext` | Configure the security context for the container. | `{}` |
| Name | Description | Value |
| -------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `deployment.pullSecrets` | A list of pull secret names. These names are automatically mapped to key: secretname in the imagePullSecrets field. | `[]` |
| `deployment.image.name` | The name of the image. | `premiscale/pass-operator` |
| `deployment.image.tag` | The tag of the image. The default is "ignore" to ensure users provide a tag. | `ignore` |
| `deployment.image.pullPolicy` | The pull policy of the image. | `Always` |
| `deployment.resources` | Set resources for the pod. | `{}` |
| `deployment.livenessProbe` | Configure the liveness probe for the pod. The defaults are set to check the /healthz endpoint on port 8080, which is provided by Kopf. | `{}` |
| `deployment.podSecurityContext` | Configure the security context for the pod. | `{}` |
| `deployment.podSecurityContext.runAsNonRoot` | If true, the pod is required to run as a non-root user. | `true` |
| `deployment.containerSecurityContext` | Configure the security context for the container. | `{}` |
### Operator Configuration
| Name | Description | Value |
| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- |
| `operator.interval` | The interval in seconds to check for changes in the secrets in the pass store. | `60` |
| `operator.initial_delay` | The initial delay in seconds before the first check for changes in the secrets in the pass store. | `3` |
| `operator.initial_delay` | The initial delay in seconds before the first check for changes in the secrets in the pass store. | `60` |
| `operator.priority` | The priority of the operator. The higher the number, the higher the priority. Only useful if multiple operators are running. | `100` |
| `operator.pass.binary` | The path to the pass binary. | `""` |
| `operator.pass.storeSubPath` | A subpath within `~/.password-store`. | `""` |
Expand All @@ -192,6 +192,7 @@ helm upgrade --install password-store-operator helm/operator/ --namespace passwo
| `operator.gpg.key_id` | The key ID of the (private) GPG key. | `""` |
| `operator.gpg.value` | The armored string of the private GPG key b64enc'd. | `""` |
| `operator.gpg.passphrase` | The passphrase for the GPG key, if there is one. | `""` |
| `operator.gpg.threads` | Number of threads to spawn for decryption. This can help significantly speed up decryption on secrets with many fields. | `4` |
| `operator.git.branch` | The branch of the Git repository to clone and pull from. | `main` |
| `operator.git.url` | The (SSH) URL of the Git repository. HTTPS is not supported at this time. | `""` |
Expand Down
2 changes: 2 additions & 0 deletions helm/operator/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,8 @@ spec:
value: {{ .key_id }}
{{- end }}
{{- end }}
- name: PASS_DECRYPT_THREADS
value: {{ .Values.operator.gpg.threads | quote }}
- name: PASS_GIT_URL
value: {{ .Values.operator.git.url | quote }}
- name: PASS_GIT_BRANCH
Expand Down
9 changes: 7 additions & 2 deletions helm/operator/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
"name": {
"type": "string",
"description": "The name of the image.",
"default": "pass-operator"
"default": "premiscale/pass-operator"
},
"tag": {
"type": "string",
Expand Down Expand Up @@ -71,7 +71,7 @@
"initial_delay": {
"type": "number",
"description": "The initial delay in seconds before the first check for changes in the secrets in the pass store.",
"default": "3"
"default": "60"
},
"priority": {
"type": "number",
Expand Down Expand Up @@ -150,6 +150,11 @@
"type": "string",
"description": "The passphrase for the GPG key, if there is one.",
"default": "\"\""
},
"threads": {
"type": "number",
"description": "Number of threads to spawn for decryption. This can help significantly speed up decryption on secrets with many fields.",
"default": "4"
}
}
},
Expand Down
11 changes: 7 additions & 4 deletions helm/operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ deployment:
pullSecrets: []

image:
## @param deployment.image.name [string, default: pass-operator] The name of the image.
name: pass-operator
## @param deployment.image.name [string, default: premiscale/pass-operator] The name of the image.
name: premiscale/pass-operator
## @param deployment.image.tag [string, default: ignore] The tag of the image. The default is "ignore" to ensure users provide a tag.
tag: ignore
## @param deployment.image.pullPolicy [string, default: Always] The pull policy of the image.
Expand Down Expand Up @@ -53,8 +53,8 @@ operator:
## @param operator.interval [default: 60] The interval in seconds to check for changes in the secrets in the pass store.
interval: 60

## @param operator.initial_delay [default: 3] The initial delay in seconds before the first check for changes in the secrets in the pass store.
initial_delay: 3
## @param operator.initial_delay [default: 60] The initial delay in seconds before the first check for changes in the secrets in the pass store.
initial_delay: 60

## @param operator.priority [default: 100] The priority of the operator. The higher the number, the higher the priority. Only useful if multiple operators are running.
priority: 100
Expand Down Expand Up @@ -96,6 +96,9 @@ operator:
## @param operator.gpg.passphrase [string, default: ""] The passphrase for the GPG key, if there is one.
passphrase: ""

## @param operator.gpg.threads [default: 4] Number of threads to spawn for decryption. This can help significantly speed up decryption on secrets with many fields.
threads: 4

git:
## @param operator.git.branch [string, default: main] The branch of the Git repository to clone and pull from.
branch: main
Expand Down
Loading

0 comments on commit a21b808

Please sign in to comment.