-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 1042d1b
Showing
39 changed files
with
1,654 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# Ignore Gradle project-specific cache directory | ||
.gradle | ||
|
||
# Ignore Gradle build output directory | ||
build | ||
.DS_Store | ||
.idea/ | ||
out/ | ||
src/.DS_Store | ||
src/main/resources-generated/ |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
# Kubernetes Secrets plugin for GoCD | ||
|
||
This plugin allows users to refer to [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) as a secret for GoCD. | ||
|
||
### Configure the plugin | ||
|
||
The plugin requires secret config in order to connect with the kubernetes secret - | ||
|
||
```xml | ||
<secretConfigs> | ||
<secretConfig id="k8s" pluginId="cd.go.contrib.secrets.kubernetes"> | ||
<configuration> | ||
<property> | ||
<key>kubernetes_secret_name</key> | ||
<value>mysecret</value> | ||
</property> | ||
<property> | ||
<key>kubernetes_cluster_url</key> | ||
<value>https://192.168.99.100:8443</value> | ||
</property> | ||
<property> | ||
<key>security_token</key> | ||
<encryptedValue>AES:niGQ6YZzkMfMCZbmG97VFg==:6n5Gdqu3LPPuGUI8YF769iTTdFmuDLJBhABUy//UKDiWV+wilqd7UiWadUFwiTHbb+694wIz6+mAe8alvhzdKzZAo+xHDyE+hdg7mcMOJ2LU7RA4uvFPtujRhZgYFvl5OpqWfmQodu+08WcUqU+ITOfSsThyK7/+CjrAwrc/iusHyG+vQ8m4lQ85kymLGhrVkZQsLPWHnQB2O05r2JQJZZClNABlsccHISh0vKuITa544GUX12ulPi2xx0gm4cA5Nd9RJxHRNhlOWzCMXiNF30EsSjnN/tqFdPud33uw1Fm34R9jgPsB7LAii9HRmZYHbc6rvZuERpOqd+cnjMsyFNqTEqGwOdlQCIrbKw+Z4/0FCCmqJbMwenI+czU8lWg9NlxsoMOVf9WqlB0uaDAT3/NEKaWY6uCrjvPU7OlBhJ1ufB0+49/EPGH0NGZ7DTrzM5h3s54U4T0U4t4OPwD10xVFAHHudv8UFq8afRM5GyQCHLzA5Mni17miBPcuicKWse5/FTUR+kJSECY7KDdH/eW5TxyRDmv1GAzxl985QRHza6xsymhcFlm/3feWiZHnSmInTnUc9Uq7fVuhn725aaTmYUZmnjvZ/UZoHvmEjqN553hF7TGTydkakwQTW87kfYS+YEf+pxz95E6e6D9VMHAa3+csBKEaU+2MMEcOb4f0XC2I96Q74u+st98fR0s6k+nkQX+Yhfh1RVPl3BRFnuWglhqzvQG4wdluKzRbZBT0zyaKugzNfn8Q61UBui4AelNsmHXpEyr9f4lOFymdgUuia/bNbDJGXdjB9Xj0lFRH+PyoDNpimlT6wAXf0bcmVj+OXFepioVqLzeYjjM/AMVwjs3FXU6TbNEPTUazOkxVHDKRyZ7Rs28udxrx7/qJMYLKCrTnDSdZdcK+woem/ViqcdCkFsz5DrTRBpX3MlU2KD61HdEadZDFqg+cP7JO1QxYUklBXl2IJGeL1USW1bCncxmEkYNaYVSTqbqnnGYog5JuVm6Tcd1tVfAEjuSiFlmzRoIC8HjncqVH086MfzYM4+8t+O0PHvtilldQlC24SVgqlHf5OpPPUuWxZOeNFheRPX3vCrwDFrHTCykuM3MoYPZid56y5I1O2Pc1zEc=</encryptedValue> | ||
</property> | ||
<property> | ||
<key>kubernetes_cluster_ca_cert</key> | ||
<encryptedValue>AES:Vub2rXf0xa4d79JTgXs3TA==:sIl/nCHhnAVOH1/+AXkcowfKQHN1ZOLybWyvytNwV4s8v3Iq0+Jp+MGEtAxSImcBsaf/riUhjFaji6T5WILfzyhs1WlwSzsHTfAOhRZir9OLBVw/wUa9d8eeA0s1y2fUUKjqo9BnswGMnB6GzMQwqUoDZ+ui7SPQl3KPICu5KSBlDc9+uhxMH3DhmhSPRrKpVT/7c4xOMR36/Exlzp3IXkGQISCHs/AL5McPUXAFx4nwGzoFEXROpVMFycm5tHt4hd8sa8hRmFpVavcHBIHHF9QAnFX8RPefHV2aGEwBRiYQFee7oPqDhlnfSP6zgTbADYPtDZK2RuOxeM7JFtVUNpgMfsqk2Q8jA/tICdvl0sQvowHuihSyH4O+kano0kxYzNVNQTLs7qhzbB5MGob+3+TEUXrgGjkgFQ5gyER3mn6JsVwZpIHbr4q1dfKkwl59K3UjserxtNbBvS2CfMBFbXs+/yTGEzs+nn06lhlEwkAtaBVTjWaCP5iCCvkEGZQ1FB48cV+o1Pup1zZvWtk1ELle9fY2JxrOd4wo8l78lsMKi5IeuICVr25NAt6upvnJVATybQgaCErOoGDbZalcrNY282y2Q8ohU6/yEKjo6f6fCVWPUaCkz97HkHOfSbpxMEzbI8CnUsAHd+0oZmvAzMTyvFTl+lgmIhEY7JnkJwIefuHfcSOuzpiJB4pXhcooNd4Xug4D7rDXf/9M0sUwbaoA88lvXdtvz01e82xW7gCPxsvrJkJ3+NQxJw0lwZcPKgQfpSc6xTdwaiO3LMqSiPFL9FAq0/u/Le4FztNOxGomrkugtGYMtaqqXerQ6wKStYuhgIyKugffRlaQVBXSb6a58Rm8MrlzRXHqPCaMoCviblYWAIhQ9llsFwFVzD1wmSOkDC6BhG067TwjOL4SZPruLk78UFwEsyUSdez6zstQLj6LdjNbskuDyanOGdF2CY02zut0GlpXIGS8wA0SwudKf+15dTCAG00RSoPk8jYZ1rxC1hPwSXLN6xyFQlWTHLzg7X+jez3V8VOO+LmBJdWqfSPMCEZDeRONl08UVW9iCWJCI1wSSq+Ci8Q1ysTE1QYUDCTRxcSAvjof30i+49tvwet4OsrKzknh+tRTKcx1xVsJ9Spm8D+ZIddWeWKYteel6ZgX4yoUtA4staGhEQ/HOZwzfV382f2A/PFYmbElfP1ooq8L6UBtWH0BlTOKUUX+SiTUyVkgFqTWyT1ikyiS/rY0K0XElLWUVjc0qeYrn2Xh7zG/fG099oWIhMdbJ+yE6s2MBAd+kjmkBE4DuMmyJK6qJRjyVgOgbnx1kZtdg5BaC9TEVwLTkF0QrzEH</encryptedValue> | ||
</property> | ||
<property> | ||
<key>namespace</key> | ||
<value>default</value> | ||
</property> | ||
</configuration> | ||
<rules> | ||
<allow action="refer" type="*">*</allow> | ||
</rules> | ||
<description /> | ||
</secretConfig> | ||
</secretConfigs> | ||
``` | ||
|
||
| Field | Required | Description | | ||
| -------------------------- | --------- | ------------------------------------------------------------------------------ | | ||
| kubernetes_secret_name | true | The kubernetes secret name that needs to accessed within GoCD. | | ||
| kubernetes_cluster_url | true | The kubernetes cluster url. | | ||
| security_token | true | The security token having enough permissions to access the kubernetes secret. | | ||
| kubernetes_cluster_ca_cert | false | The kubernetes cluster CA certificate. | | ||
| namespace | false | The kubernetes namespace where kubernetes secret reside. | | ||
|
||
### Building the code base | ||
To build the jar, run `./gradlew clean test assemble` | ||
|
||
### Example | ||
|
||
1. Create a kubernetes secret with desired name and appropriate data. For example: Let's create a kubernetes secret with name `dokerhub-credentials`, containing `username` and `password` as data items. | ||
```shell | ||
$ cat secrets.yaml | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: dokerhub-credentials | ||
type: Opaque | ||
data: | ||
username: YWRtaW4= | ||
password: MWYyZDFlMmU2N2Rm | ||
``` | ||
|
||
```shell | ||
$ kubectl create -f secrets.yaml | ||
secret "dokerhub-credentials" created | ||
``` | ||
|
||
```shell | ||
$ kubectl describe secret/dokerhub-credentials | ||
Name: dokerhub-credentials | ||
Namespace: default | ||
Labels: <none> | ||
Annotations: <none> | ||
|
||
Type: Opaque | ||
|
||
Data | ||
==== | ||
password: 12 bytes | ||
username: 5 bytes | ||
``` | ||
|
||
2. Configure a GoCD secret (named `secret-for-dokerhub-credentials`) to to point to `dokerhub-credentials` secret. | ||
|
||
![Secret Configuration](images/secret_config_1.png) | ||
![Secret Configuration](images/secret_config_2.png) | ||
![Rules Configuration](images/rules_configuration.png) | ||
|
||
3. Use the configured secret config in an environment variable of a job. lets say, we want specify `DOCKERHUB_USERNAME` as an environment variable pointing to the `username` data from the `dokerhub-credentials` kubernetes secret, we can configure an environment variable on the job with key being `DOCKERHUB_USERNAME` and setting the value to `{{SECRET:[secret-for-dokerhub-credentials][username]}}`, where `secret-for-dokerhub-credentials` is the secret config id and `username` is the data attribute from the kubernetes secret. | ||
|
||
![Usage in Environment Variables](images/secrets_in_environment_variables.png) | ||
|
||
### Troubleshooting | ||
|
||
To enable debug log add following environment variable - | ||
|
||
``` | ||
GO_SERVER_SYSTEM_PROPERTIES=-Dplugin.cd.go.contrib.secrets.kubernetes.log.level=debug | ||
``` | ||
|
||
The plugin logs are written to `LOG_DIR/plugin-cd.go.contrib.secrets.kubernetes.log`. The log dir | ||
- on Linux is `/var/log/go-server` | ||
- on Windows are written to `C:\Program Files\Go Server\logs` | ||
- on docker images are written to `/godata/logs` | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
/* | ||
* Copyright 2019 ThoughtWorks, Inc. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
apply plugin: 'java' | ||
apply from: "https://raw.githubusercontent.com/gocd/gocd-plugin-gradle-task-helpers/master/helper.gradle?_=${(int) (new Date().toInstant().epochSecond / 60)}" | ||
|
||
gocdPlugin { | ||
id = 'cd.go.contrib.secrets.kubernetes' | ||
pluginVersion = '0.0.1' | ||
goCdVersion = '19.6.0' | ||
name = 'Kubernetes Secrets Plugin for GoCD' | ||
description = 'Kubernetes secrets based secrets plugin for GoCD' | ||
vendorName = 'ThoughtWorks, Inc.' | ||
vendorUrl = 'https://github.com/gocd/gocd-kubernetes-based-secrets-plugin' | ||
|
||
githubRepo { | ||
owner = System.getenv('GITHUB_USER') ?: 'bob' | ||
repo = 'gocd-kubernetes-based-secrets-plugin' | ||
token = System.getenv('GITHUB_TOKEN') ?: 'bad-token' | ||
} | ||
|
||
pluginProject = project | ||
|
||
prerelease = !"No".equalsIgnoreCase(System.getenv('PRERELEASE')) | ||
assetsToRelease = [project.tasks.findByName('jar')] | ||
} | ||
|
||
sourceCompatibility = 1.8 | ||
targetCompatibility = 1.8 | ||
|
||
version = gocdPlugin.fullVersion(project) | ||
|
||
repositories { | ||
mavenCentral() | ||
} | ||
|
||
sourceSets { | ||
test { | ||
java { | ||
compileClasspath += configurations.compileOnly | ||
runtimeClasspath += configurations.compileOnly | ||
} | ||
} | ||
} | ||
|
||
dependencies { | ||
compile group: 'com.github.bdpiparva.plugin.base', name: 'gocd-plugin-base', version: '0.0.5' | ||
compileOnly group: 'cd.go.plugin', name: 'go-plugin-api', version: '19.1.0' | ||
compile group: 'com.google.code.gson', name: 'gson', version: '2.8.5' | ||
compile group: 'io.fabric8', name: 'kubernetes-client', version: '3.1.8' | ||
|
||
testCompile group: 'org.junit.jupiter', name: 'junit-jupiter-engine', version: '5.4.1' | ||
testCompile group: 'org.junit.jupiter', name: 'junit-jupiter-api', version: '5.4.1' | ||
testCompile group: 'org.junit.jupiter', name: 'junit-jupiter-params', version: '5.4.1' | ||
testCompile group: 'org.assertj', name: 'assertj-core', version: '3.12.2' | ||
testCompile group: 'org.mockito', name: 'mockito-core', version: '2.25.1' | ||
testCompile group: 'org.jsoup', name: 'jsoup', version: '1.10.2' | ||
testCompile group: 'cd.go.plugin', name: 'go-plugin-api', version: '19.1.0' | ||
testCompile group: 'org.skyscreamer', name: 'jsonassert', version: '1.5.0' | ||
} | ||
|
||
test { | ||
useJUnitPlatform() | ||
} | ||
|
||
jar { | ||
from(configurations.compile) { | ||
into "lib/" | ||
} | ||
|
||
// from(sourceSets.main.java) { | ||
// into "/" | ||
// } | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<module external.linked.project.id="gocd-kubernetes-based-secrets-plugin" external.linked.project.path="$MODULE_DIR$" external.root.project.path="$MODULE_DIR$" external.system.id="GRADLE" external.system.module.group="" external.system.module.version="0.0.1-17" type="JAVA_MODULE" version="4"> | ||
<component name="NewModuleRootManager" inherit-compiler-output="true"> | ||
<exclude-output /> | ||
<content url="file://$MODULE_DIR$"> | ||
<excludeFolder url="file://$MODULE_DIR$/.gradle" /> | ||
<excludeFolder url="file://$MODULE_DIR$/build" /> | ||
<excludeFolder url="file://$MODULE_DIR$/out" /> | ||
</content> | ||
<orderEntry type="inheritedJdk" /> | ||
<orderEntry type="sourceFolder" forTests="false" /> | ||
</component> | ||
</module> |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
distributionBase=GRADLE_USER_HOME | ||
distributionPath=wrapper/dists | ||
distributionUrl=https\://services.gradle.org/distributions/gradle-5.3-all.zip | ||
zipStoreBase=GRADLE_USER_HOME | ||
zipStorePath=wrapper/dists |
Oops, something went wrong.