diff --git a/.circleci/config.yml b/.circleci/config.yml index ed53a15..460232b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -54,6 +54,13 @@ jobs: name: Install k3d command: | wget -q -O - https://raw.githubusercontent.com/rancher/k3d/main/install.sh | TAG=v${K3D_VERSION} bash + - run: + name: Install Helm + command: | + wget https://get.helm.sh/helm-v3.3.1-linux-amd64.tar.gz + tar -zxvf helm-v3.3.1-linux-amd64.tar.gz + chmod +x linux-amd64/helm + sudo mv linux-amd64/helm /usr/local/bin/ - run: name: Run all tests command: | @@ -64,10 +71,10 @@ jobs: kubectl apply -f https://raw.githubusercontent.com/patoarvizu/common-manifests/master/vault/vault-operator.yaml kubectl apply -f https://raw.githubusercontent.com/patoarvizu/common-manifests/master/vault/vault-cluster-kubernetes-and-db.yaml kubectl apply -f test/manifests/namespaces/test.yaml - make deploy + helm install vault-dynamic-configuration-operator helm/vault-dynamic-configuration-operator/ -n vault sleep 60 go test github.com/patoarvizu/vault-dynamic-configuration-operator/test/e2e -v -ginkgo.focus="Single namespace" - kubectl -n vault patch deployment controller-manager --type='json' -p='[{"op":"add", "path":"/spec/template/spec/containers/0/args/-", "value":"--bound-roles-to-all-namespaces"}]' + helm upgrade vault-dynamic-configuration-operator helm/vault-dynamic-configuration-operator/ -n vault --set boundRolesToAllNamespaces=true go test github.com/patoarvizu/vault-dynamic-configuration-operator/test/e2e -v -ginkgo.focus="All namespaces" - save_cache: key: vault-dynamic-configuration-operator-golang-cache-{{ checksum "go.sum" }} diff --git a/helm/vault-dynamic-configuration-operator/.helmignore b/helm/vault-dynamic-configuration-operator/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/helm/vault-dynamic-configuration-operator/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/helm/vault-dynamic-configuration-operator/Chart.yaml b/helm/vault-dynamic-configuration-operator/Chart.yaml new file mode 100644 index 0000000..68e611a --- /dev/null +++ b/helm/vault-dynamic-configuration-operator/Chart.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +description: Vault dynamic configuration operator +name: vault-dynamic-configuration-operator +version: 0.0.0 diff --git a/helm/vault-dynamic-configuration-operator/templates/configmap.yaml b/helm/vault-dynamic-configuration-operator/templates/configmap.yaml new file mode 100644 index 0000000..cf40f46 --- /dev/null +++ b/helm/vault-dynamic-configuration-operator/templates/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: vault-dynamic-configuration + namespace: {{ .Release.Namespace }} +data: + policy-template: {{"|"}}{{ .Values.defaultConfiguration.policyTemplate | nindent 4 }} + db-user-creation-statement: {{ .Values.defaultConfiguration.dbUserCreationStatement }} + db-default-ttl: {{ .Values.defaultConfiguration.dbDefaultTTL }} + db-max-ttl: {{ .Values.defaultConfiguration.dbMaxTTL }} \ No newline at end of file diff --git a/helm/vault-dynamic-configuration-operator/templates/deployment.yaml b/helm/vault-dynamic-configuration-operator/templates/deployment.yaml new file mode 100644 index 0000000..a576d04 --- /dev/null +++ b/helm/vault-dynamic-configuration-operator/templates/deployment.yaml @@ -0,0 +1,36 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vault-dynamic-configuration-operator + namespace: {{ .Release.Namespace }} + labels: + app: vault-dynamic-configuration-operator +spec: + selector: + matchLabels: + app: vault-dynamic-configuration-operator + replicas: 1 + template: + metadata: + labels: + app: vault-dynamic-configuration-operator + spec: + serviceAccountName: {{ .Values.serviceAccount.name }} + containers: + - command: + - /manager + args: + - --enable-leader-election + - --annotation-prefix={{ .Values.annotationPrefix }} + {{- if .Values.boundRolesToAllNamespaces }} + - --bound-roles-to-all-namespaces + {{- end }} + image: patoarvizu/vault-dynamic-configuration-operator:{{ .Values.imageVersion }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + name: manager + env: + - name: WATCH_NAMESPACE + value: {{ .Values.watchNamespace }} + {{- if .Values.resources }} + resources: {{ toYaml .Values.resources | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/helm/vault-dynamic-configuration-operator/templates/monitoring.yaml b/helm/vault-dynamic-configuration-operator/templates/monitoring.yaml new file mode 100644 index 0000000..3671e0c --- /dev/null +++ b/helm/vault-dynamic-configuration-operator/templates/monitoring.yaml @@ -0,0 +1,35 @@ +{{- if .Values.prometheusMonitoring.enable }} + +apiVersion: v1 +kind: Service +metadata: + name: vault-dynamic-configuration-operator + namespace: {{ .Release.Namespace }} + labels: + app: vault-dynamic-configuration-operator +spec: + type: ClusterIP + ports: + - protocol: TCP + port: 8080 + targetPort: http-metrics + name: http-metrics + selector: + app: vault-dynamic-configuration-operator + +--- + +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: vault-dynamic-configuration-operator + namespace: {{ .Release.Namespace }} +spec: + endpoints: + - path: /metrics + port: http-metrics + selector: + matchLabels: + app: vault-dynamic-configuration-operator + +{{ end }} \ No newline at end of file diff --git a/helm/vault-dynamic-configuration-operator/templates/rbac.yaml b/helm/vault-dynamic-configuration-operator/templates/rbac.yaml new file mode 100644 index 0000000..839f3f5 --- /dev/null +++ b/helm/vault-dynamic-configuration-operator/templates/rbac.yaml @@ -0,0 +1,106 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault-dynamic-configuration-operator +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault-dynamic-configuration-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vault-dynamic-configuration-operator +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: vault-dynamic-configuration-operator +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - vault.banzaicloud.com + resources: + - vaults + verbs: + - create + - get + - list + - patch + - update + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vault-dynamic-configuration-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vault-dynamic-configuration-operator +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} diff --git a/helm/vault-dynamic-configuration-operator/templates/service_account.yaml b/helm/vault-dynamic-configuration-operator/templates/service_account.yaml new file mode 100644 index 0000000..d330c45 --- /dev/null +++ b/helm/vault-dynamic-configuration-operator/templates/service_account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/helm/vault-dynamic-configuration-operator/values.yaml b/helm/vault-dynamic-configuration-operator/values.yaml new file mode 100644 index 0000000..492105c --- /dev/null +++ b/helm/vault-dynamic-configuration-operator/values.yaml @@ -0,0 +1,31 @@ +# annotationPrefix -- The value to be set on the `--annotation-prefix` flag. +annotationPrefix: vault.patoarvizu.dev +# boundRolesToAllNamespaces -- If set to `true` the `--bound-roles-to-all-namespaces` flag will be set. +boundRolesToAllNamespaces: false +# imageVersion -- The image version used for the operator. +imageVersion: latest +# imagePullPolicy -- The imagePullPolicy to be used on the operator. +imagePullPolicy: IfNotPresent +serviceAccount: + # serviceAccount.name -- The name of the `ServiceAccount` to be created. + name: vault-dynamic-configuration-operator +# watchNamespace -- The value to be set on the `WATCH_NAMESPACE` environment variable. +watchNamespace: "" +# defaultConfiguration -- The values to be used for the default `vault-dynamic-configuration` `ConfigMap`. +defaultConfiguration: + # defaultConfiguration.policyTemplate -- Corresponds to the `policy-template` field of the default `ConfigMap`. + policyTemplate: | + path "secret/{{ .Name }}" { + capabilities = ["read"] + } + # defaultConfiguration.dbUserCreationStatement -- Corresponds to the `db-user-creation-statement` field of the default `ConfigMap`. + dbUserCreationStatement: "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT ALL ON *.* TO '{{name}}'@'%';" + # defaultConfiguration.dbDefaultTTL -- Corresponds to the `db-default-ttl` field of the default `ConfigMap`. + dbDefaultTTL: 1h + # defaultConfiguration.dbMaxTTL -- Corresponds to the `db-max-ttl` field of the default `ConfigMap`. + dbMaxTTL: 24h +prometheusMonitoring: + # prometheusMonitoring.enable -- Create the `Service` and `ServiceMonitor` objects to enable Prometheus monitoring on the operator. + enable: true +# resources -- (object) The resources requests/limits to be set on the deployment pod spec template. +resources: \ No newline at end of file