Merge pull request #42 from finleap-connect/feature/support-k8s-1.22

Add K8s 1.22 support and allow defining allowed secret engines.
finleap-connect · Jun 22, 2022 · 7d737f0 · 7d737f0
2 parents 71a6025 + ce92338
commit 7d737f0
Show file tree

Hide file tree

Showing 24 changed files with 167 additions and 152 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,23 +9,36 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
+      day: "sunday"
     commit-message:
       # Prefix all commit messages with "ghactions"
       prefix: "ghactions"
     # Specify labels for pull requests
     labels:
       - "github-actions"
       - "chore"
+    reviewers:
+      - "finleap-connect/fcloud"
   # Maintain dependencies for golang
   - package-ecosystem: "gomod" # See documentation for possible values
     directory: "/" # Location of package manifests
     schedule:
-      interval: "daily"
+      interval: "weekly"
+      day: "sunday"
     commit-message:
       # Prefix all commit messages with "golang"
       prefix: "golang"
     # Specify labels for npm pull requests
     labels:
       - "golang"
       - "chore"
+    reviewers:
+      - "finleap-connect/fcloud"
+  - package-ecosystem: "docker"
+    # Look for a `Dockerfile` in the `root` directory
+    directory: "/"
+    # Check for updates once a week
+    schedule:
+      interval: "weekly"
+      day: "sunday"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
diff --git a/.github/workflows/dependabot-auto-approve.yaml b/.github/workflows/dependabot-auto-approve.yaml
@@ -0,0 +1,21 @@
+name: Dependabot auto-approve
+on: pull_request
+
+permissions:
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v1.3.1
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Approve a PR
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
@@ -0,0 +1,22 @@
+name: Dependabot auto-merge
+on: pull_request
+
+permissions:
+  contents: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v1.3.1
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Enable auto-merge for Dependabot PRs
+        if: ${{steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/golang.yaml b/.github/workflows/golang.yaml
@@ -22,8 +22,8 @@ on:
 
 env:
   GO_MODULE: github.com/finleap-connect/vaultoperator
-  GO_VERSION: 1.17
-  GOLINT_VERSION: v1.39
+  GO_VERSION: 1.18.x
+  GO_CI_LINT_VERSION: v1.46.1
 
 jobs:
   lint:
@@ -38,15 +38,14 @@ jobs:
       - name: Run linters
         uses: golangci/golangci-lint-action@v3
         with:
-          version: ${{ env.GOLINT_VERSION }}
+          version: ${{ env.GO_CI_LINT_VERSION }}
           args: --timeout=5m
 
   test:
     needs: lint
     runs-on: ubuntu-latest
     steps:
       - name: Install Go
-        if: success()
         uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GO_VERSION }}
@@ -57,7 +56,7 @@ jobs:
           make go-test
           make go-coverage
       - name: Convert coverage to lcov
-        uses: jandelgado/gcov2lcov-action@v1.0.8
+        uses: jandelgado/gcov2lcov-action@v1.0.9
         with:
           infile: .coverprofile
       - name: Coveralls GitHub Action

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -0,0 +1,28 @@
+name: "Snyk Scanning"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '44 18 * * 3'
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/golang@master
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --sarif-file-output=snyk.sarif
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk.sarif
diff --git a/Dockerfile b/Dockerfile
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # Build the manager binary
-FROM golang:1.17 as builder
+FROM golang:1.18 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests

diff --git a/charts/vault-operator/templates/cert.yaml b/charts/vault-operator/templates/cert.yaml
@@ -1,9 +1,5 @@
 ---
-{{- if .Values.useOldCertManager }}
-apiVersion: cert-manager.io/v1alpha2
-{{- else }}
 apiVersion: cert-manager.io/v1
-{{- end }}
 kind: Issuer
 metadata:
   name: selfsigned-issuer
@@ -12,11 +8,7 @@ metadata:
 spec:
   selfSigned: {}
 ---
-{{- if .Values.useOldCertManager }}
-apiVersion: cert-manager.io/v1alpha2
-{{- else }}
 apiVersion: cert-manager.io/v1
-{{- end }}
 kind: Certificate
 metadata:
   name: vault-operator-cert

diff --git a/charts/vault-operator/templates/configmap.yaml b/charts/vault-operator/templates/configmap.yaml
@@ -7,4 +7,5 @@ metadata:
 data:
   VAULT_ADDR: {{ required "A valid .Values.vault.addr is required!" .Values.vault.addr }}
   VAULT_NAMESPACE: {{ .Values.vault.namespace | quote }}
-  SHARED_PATHS: {{ join "," .Values.sharedPaths | quote }}
+  SHARED_PATHS: {{ join "," .Values.sharedPaths | quote }}
+  ALLOWED_ENGINES: {{ join "," .Values.allowedSecretEngines | quote }}
diff --git a/charts/vault-operator/templates/crds.yaml b/charts/vault-operator/templates/crds.yaml
@@ -1,6 +1,6 @@
 # Generated by 'make manifests'
 
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:

diff --git a/charts/vault-operator/templates/metrics-rbac.yaml b/charts/vault-operator/templates/metrics-rbac.yaml
@@ -1,4 +1,4 @@
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ include "vault-operator.fullname" . }}-metrics-reader

diff --git a/charts/vault-operator/templates/webhook.yaml b/charts/vault-operator/templates/webhook.yaml
@@ -1,6 +1,6 @@
 # Generated by 'make manifests'
 
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   annotations:

diff --git a/charts/vault-operator/values.yaml b/charts/vault-operator/values.yaml
@@ -36,10 +36,6 @@ securityContext: {}
 
 terminationGracePeriodSeconds: 10
 
-# Set this to false for older CertManager, which only
-# supports the cert-manager.io/v1 API
-useOldCertManager: true
-
 # Configure Vault connection
 vault:
   addr: "" # Required address of Vault
@@ -49,6 +45,9 @@ vault:
     secretName: "" # Required secret containing AppRole credentials as fields VAULT_ROLE_ID and VAULT_SECRET_ID, see https://www.vaultproject.io/docs/auth/approle
   namespace: "" # Optional Vault namespace to connect to
 
+allowedSecretEngines:
+  - app
+
 # Set which paths in Vault are allowed to be accessed from any namespace
 sharedPaths:
   - shared
diff --git a/config/crd-templates/kustomization.yaml b/config/crd-templates/kustomization.yaml
@@ -5,3 +5,10 @@ bases:
 
 patchesStrategicMerge:
 - patches/crd_patch.yaml
+
+patches:
+- target:
+    group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    name: vaultsecrets.vault.finleap.cloud
+  path: patches/crd_apiversion_patch.yaml
diff --git a/config/crd-templates/patches/crd_apiversion_patch.yaml b/config/crd-templates/patches/crd_apiversion_patch.yaml
@@ -0,0 +1,3 @@
+- op: replace
+  path: /apiVersion
+  value: apiextensions.k8s.io/v1
diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml
@@ -1,13 +1,13 @@
 # This patch add annotation to admission webhook config and
 # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   name: mutating-webhook-configuration
   annotations:
     cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
 ---
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration

diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml
@@ -1,4 +1,4 @@
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: metrics-reader

diff --git a/config/webhook-templates/kustomization.yaml b/config/webhook-templates/kustomization.yaml
@@ -9,7 +9,6 @@ patchesStrategicMerge:
 patches:
 - target:
     group: admissionregistration.k8s.io
-    version: v1beta1
     kind: ValidatingWebhookConfiguration
     name: validating-webhook-configuration
   path: patches/webhook_sideeffects_patch.yaml
diff --git a/config/webhook-templates/patches/webhook_sideeffects_patch.yaml b/config/webhook-templates/patches/webhook_sideeffects_patch.yaml
@@ -4,3 +4,9 @@
 - op: replace
   path: /webhooks/0/clientConfig/service/name
   value: '{{ include "vault-operator.fullname" . }}-webhook'
+- op: replace
+  path: /webhooks/0/clientConfig/service/name
+  value: '{{ include "vault-operator.fullname" . }}-webhook'
+- op: replace
+  path: /apiVersion
+  value: admissionregistration.k8s.io/v1
diff --git a/controllers/suite_test.go b/controllers/suite_test.go
@@ -78,6 +78,7 @@ var _ = BeforeSuite(func() {
 	*/
 	By("bootstrapping test environment")
 	Expect(os.Setenv("SHARED_PATHS", "shared,common")).To(Succeed())
+	Expect(os.Setenv("ALLOWED_ENGINES", "app,secret")).To(Succeed())
 
 	testEnv = &envtest.Environment{
 		CRDDirectoryPaths:     []string{filepath.Join("..", "config", "crd", "bases")},

diff --git a/controllers/vaultsecret_controller.go b/controllers/vaultsecret_controller.go
@@ -23,7 +23,7 @@ import (
 	"strings"
 	"text/template"
 
-	"github.com/Masterminds/sprig"
+	"github.com/Masterminds/sprig/v3"
 	"github.com/go-logr/logr"
 	"github.com/google/uuid"
 	corev1 "k8s.io/api/core/v1"
@@ -449,12 +449,14 @@ func (r *VaultSecretReconciler) checkPermission(vaultSecret *vaultv1alpha1.Vault
 		return ErrInvalidVaultPath
 	}
 
+	allowedEngines := strings.Split(os.Getenv("ALLOWED_ENGINES"), ",")
+
 	firstSegment := segments[0]
 	if firstSegment == "cert" {
 		return nil
 	}
-	if firstSegment == "app" {
-		// The Vault path should be scoped (e.g. app/<namespace>/<key-name>) and thus consist
+	if util.ContainsString(allowedEngines, firstSegment) {
+		// The Vault path should be scoped (e.g. <allowed-engine>/<namespace>/<key-name>) and thus consist
 		// of at least 3 parts.
 		if len(segments) < 3 {
 			return ErrInvalidVaultPath