Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure KMS support #148

Merged
merged 4 commits into from
Jul 27, 2022
Merged

Azure KMS support #148

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3d89b81
Azure KMS support
mhmxs Jul 26, 2022
d409e98
Azure KMS manifests generation
mhmxs Jul 27, 2022
f9384fc
Fix pipelines
mhmxs Jul 27, 2022
3c490b9
Typo fixes
mhmxs Jul 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/_gocilint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@4a4352b33067e47da692b40ea6e19467075219ac
with:
go-version: '1.18'
- uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
- name: golangci-lint
uses: golangci/golangci-lint-action@c3ef0c370269e2a25b67c7f8e03d37e6cb106cb9
Expand Down
65 changes: 65 additions & 0 deletions .github/workflows/e2e-azurekms-on-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
name: Azure KMS e2e on pr

on:
pull_request:
branches: [ main, v2* ]
workflow_dispatch:

permissions:
contents: read
pull-requests: read
actions: read
security-events: write
packages: write

concurrency:
group: ci-e2e-azurekms-${{ github.ref }}-1
cancel-in-progress: true

jobs:
golangci-lint:
uses: ./.github/workflows/_gocilint.yml
with:
project: providers/azurekms

gosec-scanning:
uses: ./.github/workflows/_gosecscan.yml
needs: golangci-lint

image-build:
uses: ./.github/workflows/_docker-build.yml
with:
registry: ghcr.io
imageName: ${{ github.repository }}
imageTagPrefix: azurekms
project: providers/azurekms
needs: gosec-scanning

# e2e-1_22:
# uses: ./.github/workflows/_e2e-test.yml
# with:
# provider: azurekms
# kubever: "1.22"
# needs: image-build

# e2e-1_23:
# uses: ./.github/workflows/_e2e-test.yml
# with:
# provider: azurekms
# kubever: "1.23"
# needs: image-build

# e2e-1_24:
# uses: ./.github/workflows/_e2e-test.yml
# with:
# provider: azurekms
# kubever: "1.24"
# needs: image-build

image-vulnerability-scan:
uses: ./.github/workflows/_trivy.yml
with:
registry: ghcr.io
imageName: ${{ github.repository }}
imageTagPrefix: azurekms
needs: image-build
9 changes: 9 additions & 0 deletions .github/workflows/generator-test-on-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,13 @@ jobs:
TR_SOCKET_LOCATION=${PWD}/bin/run
TR_PROXY_IMAGE=ondat/trousseau:proxy-develop
TR_AWSKMS_IMAGE=ondat/trousseau:awskms-develop
TR_AZUREKMS_IMAGE=ondat/trousseau:azurekms-develop
TR_VAULT_IMAGE=ondat/trousseau:vault-develop
TR_TROUSSEAU_IMAGE=ondat/trousseau:trousseau-develop
TR_AWSKMS_CREDENTIALS=${HOME}/.aws/credentials
TR_AWSKMS_CONFIG=${PWD}/tests/e2e/kuttl/kube-v1.24/awskms.yaml
TR_AZUREKMS_CREDENTIALS=${HOME}/.azure/config.json
TR_AZUREKMS_CONFIG=${PWD}/tests/e2e/kuttl/kube-v1.24/azurekms.yaml
TR_VAULT_CONFIG=${PWD}/tests/e2e/kuttl/kube-v1.24/vault.yaml
- name: generate services
run: make prod:generate:docker-compose ENV_LOCATION=trousseau-env
Expand All @@ -57,10 +60,13 @@ jobs:
TR_SOCKET_LOCATION=${PWD}/bin/run
TR_PROXY_IMAGE=ondat/trousseau:proxy-develop
TR_AWSKMS_IMAGE=ondat/trousseau:awskms-develop
TR_AZUREKMS_IMAGE=ondat/trousseau:azurekms-develop
TR_VAULT_IMAGE=ondat/trousseau:vault-develop
TR_TROUSSEAU_IMAGE=ondat/trousseau:trousseau-develop
TR_AWSKMS_CREDENTIALS=${HOME}/.aws/credentials
TR_AWSKMS_CONFIG=${PWD}/tests/e2e/kuttl/kube-v1.24/awskms.yaml
TR_AZUREKMS_CREDENTIALS=${HOME}/.azure/config.json
TR_AZUREKMS_CONFIG=${PWD}/tests/e2e/kuttl/kube-v1.24/azurekms.yaml
TR_VAULT_CONFIG=${PWD}/tests/e2e/kuttl/kube-v1.24/vault.yaml
TR_VAULT_ADDRESS=http://127.0.0.1:8200
- name: generate services
Expand All @@ -84,10 +90,13 @@ jobs:
TR_SOCKET_LOCATION=${PWD}/bin/run
TR_PROXY_IMAGE=ondat/trousseau:proxy-develop
TR_AWSKMS_IMAGE=ondat/trousseau:awskms-develop
TR_AZUREKMS_IMAGE=ondat/trousseau:azurekms-develop
TR_VAULT_IMAGE=ondat/trousseau:vault-develop
TR_TROUSSEAU_IMAGE=ondat/trousseau:trousseau-develop
TR_AWSKMS_CREDENTIALS=${HOME}/.aws/credentials
TR_AWSKMS_CONFIG=${PWD}/tests/e2e/kuttl/kube-v1.24/awskms.yaml
TR_AZUREKMS_CREDENTIALS=${HOME}/.azure/config.json
TR_AZUREKMS_CONFIG=${PWD}/tests/e2e/kuttl/kube-v1.24/azurekms.yaml
TR_VAULT_CONFIG=${PWD}/tests/e2e/kuttl/kube-v1.24/vault.yaml
TR_VAULT_ADDRESS=http://127.0.0.1:8200
- name: generate services
Expand Down
17 changes: 17 additions & 0 deletions .task/docker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ tasks:
- task: build:debug
- task: build:vault
- task: build:awskms
- task: build:azurekms
- task: build:trousseau
build:proxy:
cmds:
Expand All @@ -33,6 +34,11 @@ tasks:
- docker build --label buildtime={{.NOW}} --build-arg BASE_IMAGE={{.BASE_IMAGE}} --build-arg PROJECT=providers/awskms -t $DOCKER_REGISTRY/$IMAGE_NAME:awskms-$IMAGE_VERSION .
status:
- test "{{.NOW}}" == "$(docker inspect $DOCKER_REGISTRY/$IMAGE_NAME:awskms-$IMAGE_VERSION --format='{{"{{"}}.Config.Labels.buildtime{{"}}"}}' 2>/dev/null)"
build:azurekms:
cmds:
- docker build --label buildtime={{.NOW}} --build-arg BASE_IMAGE={{.BASE_IMAGE}} --build-arg PROJECT=providers/azurekms -t $DOCKER_REGISTRY/$IMAGE_NAME:azurekms-$IMAGE_VERSION .
status:
- test "{{.NOW}}" == "$(docker inspect $DOCKER_REGISTRY/$IMAGE_NAME:azurekms-$IMAGE_VERSION --format='{{"{{"}}.Config.Labels.buildtime{{"}}"}}' 2>/dev/null)"
build:trousseau:
cmds:
- docker build --label buildtime={{.NOW}} --build-arg BASE_IMAGE={{.BASE_IMAGE}} --build-arg PROJECT=trousseau -t $DOCKER_REGISTRY/$IMAGE_NAME:trousseau-$IMAGE_VERSION .
Expand All @@ -45,6 +51,7 @@ tasks:
- task: push:debug
- task: push:vault
- task: push:awskms
- task: push:azurekms
- task: push:trousseau
push:proxy:
cmds:
Expand All @@ -58,6 +65,9 @@ tasks:
push:awskms:
cmds:
- docker push $DOCKER_REGISTRY/$IMAGE_NAME:awskms-$IMAGE_VERSION
push:azurekms:
cmds:
- docker push $DOCKER_REGISTRY/$IMAGE_NAME:azurekms-$IMAGE_VERSION
push:trousseau:
cmds:
- docker push $DOCKER_REGISTRY/$IMAGE_NAME:trousseau-$IMAGE_VERSION
Expand All @@ -68,6 +78,7 @@ tasks:
- task: run:debug
- task: run:vault
- task: run:awskms
- task: run:azurekms
- task: run:trousseau
run:proxy:
deps:
Expand Down Expand Up @@ -102,6 +113,12 @@ tasks:
- 'printf %"s\n" "endpoint: https://localhost.localstack.cloud:4566" "profile: trousseau-local-aws" "keyArn: $(docker exec trousseau-local-aws awslocal kms create-key | grep Arn | cut -d''"'' -f4)" > tests/e2e/kuttl/kube-v{{.KIND_CLUSTER_VERSION}}/awskms.yaml'
- docker rm -f trousseau-awskms || true
- docker run -d --name trousseau-awskms --rm --network=container:trousseau-local-aws -v $PWD/tests/e2e/kuttl/kube-v{{.KIND_CLUSTER_VERSION}}/aws-credentials.ini:/.aws/credentials -v $PWD/tests/e2e/kuttl/kube-v{{.KIND_CLUSTER_VERSION}}/awskms.yaml:/etc/config.yaml -v $PWD/bin/run:/opt/trousseau-kms $DOCKER_REGISTRY/$IMAGE_NAME:awskms-$IMAGE_VERSION --config-file-path=/etc/config.yaml -v=3
run:azurekms:
deps:
- :run-dir:init
cmds:
- docker rm -f trousseau-azurekms || true
- docker run -d --name trousseau-azurekms --rm -v $PWD/tests/e2e/kuttl/kube-v{{.KIND_CLUSTER_VERSION}}/azurekms.json:$PWD/tests/e2e/kuttl/kube-v{{.KIND_CLUSTER_VERSION}}/azurekms.json -v $PWD/tests/e2e/kuttl/kube-v{{.KIND_CLUSTER_VERSION}}/azurekms.yaml:/etc/config.yaml -v $PWD/bin/run:/opt/trousseau-kms $DOCKER_REGISTRY/$IMAGE_NAME:azurekms-$IMAGE_VERSION --config-file-path=/etc/config.yaml -v=3
run:trousseau:
deps:
- :run-dir:init
Expand Down
2 changes: 1 addition & 1 deletion .task/fetch.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ version: 3
vars:
KIND_VERSION: 0.14.0
GOSEC_VERSION: 2.11.0
GOLANGCI_VERSION: 1.46.2
GOLANGCI_VERSION: 1.47.2
HELM_VERSION: 3.6.3
VAULT_VERSION: 1.8.1
KUBECTL_VERSION: 1.21.1
Expand Down
54 changes: 54 additions & 0 deletions .task/go.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ tasks:
- task: tidy:debug
- task: tidy:vault
- task: tidy:awskms
- task: tidy:azurekms
- task: tidy:trousseau
tidy:lib:
cmds:
Expand All @@ -29,6 +30,10 @@ tasks:
dir: providers/awskms
cmds:
- go mod tidy
tidy:azurekms:
dir: providers/azurekms
cmds:
- go mod tidy
tidy:trousseau:
dir: trousseau
cmds:
Expand All @@ -41,6 +46,7 @@ tasks:
- task: fmt:debug
- task: fmt:vault
- task: fmt:awskms
- task: fmt:azurekms
- task: fmt:trousseau
fmt:lib:
cmds:
Expand All @@ -61,6 +67,10 @@ tasks:
dir: providers/awskms
cmds:
- go fmt ./...
fmt:azurekms:
dir: providers/azurekms
cmds:
- go fmt ./...
fmt:trousseau:
dir: trousseau
cmds:
Expand All @@ -73,6 +83,7 @@ tasks:
- task: vet:debug
- task: vet:vault
- task: vet:awskms
- task: vet:azurekms
- task: vet:trousseau
vet:lib:
cmds:
Expand All @@ -93,6 +104,10 @@ tasks:
dir: providers/awskms
cmds:
- go vet ./...
vet:azurekms:
dir: providers/azurekms
cmds:
- go vet ./...
vet:trousseau:
dir: trousseau
cmds:
Expand All @@ -105,6 +120,7 @@ tasks:
- task: gosec:debug
- task: gosec:vault
- task: gosec:awskms
- task: gosec:azurekms
- task: gosec:trousseau
gosec:lib:
deps:
Expand Down Expand Up @@ -135,6 +151,12 @@ tasks:
- :fetch:gosec
cmds:
- gosec ./...
gosec:azurekms:
dir: providers/azurekms
deps:
- :fetch:gosec
cmds:
- gosec ./...
gosec:trousseau:
dir: trousseau
deps:
Expand All @@ -149,6 +171,7 @@ tasks:
- task: golangci:debug
- task: golangci:vault
- task: golangci:awskms
- task: golangci:azurekms
- task: golangci:trousseau
golangci:lib:
deps:
Expand Down Expand Up @@ -177,6 +200,10 @@ tasks:
dir: providers/awskms
cmds:
- golangci-lint run -c ../../.golangci.yaml
golangci:azurekms:
dir: providers/azurekms
cmds:
- golangci-lint run -c ../../.golangci.yaml
golangci:trousseau:
dir: trousseau
deps:
Expand All @@ -191,6 +218,7 @@ tasks:
- task: unit-tests:debug
- task: unit-tests:vault
- task: unit-tests:awskms
- task: unit-tests:azurekms
- task: unit-tests:trousseau
unit-tests:lib:
cmds:
Expand All @@ -211,6 +239,10 @@ tasks:
dir: providers/awskms
cmds:
- go test -coverprofile cover.out -race -timeout 30s ./...
unit-tests:azurekms:
dir: providers/azurekms
cmds:
- go test -coverprofile cover.out -race -timeout 30s ./...
unit-tests:trousseau:
dir: trousseau
cmds:
Expand Down Expand Up @@ -243,6 +275,13 @@ tasks:
- tidy:awskms
cmds:
- go run -ldflags '-X github.com/ondat/trousseau/pkg/utils.SecretLogDivider=1' main.go --config-file-path ../../tests/e2e/kuttl/kube-v{{.KIND_CLUSTER_VERSION}}/awskms.yaml --listen-addr unix://../../bin/run/awskms/awskms.socket --zap-encoder=console --v=5
run:azurekms:
dir: providers/azurekms
deps:
- :run-dir:init
- tidy:azurekms
cmds:
- go run -ldflags '-X github.com/ondat/trousseau/pkg/utils.SecretLogDivider=1' main.go --config-file-path ../../tests/e2e/kuttl/kube-v{{.KIND_CLUSTER_VERSION}}/azurekms.yaml --listen-addr unix://../../bin/run/azurekms/azurekms.socket --zap-encoder=console --v=5
run:trousseau:
dir: trousseau
deps:
Expand All @@ -256,6 +295,7 @@ tasks:
- task: e2e-tests:debug
- task: e2e-tests:vault
- task: e2e-tests:awskms
- task: e2e-tests:azurekms
e2e-tests:vault:
deps:
- :fetch:kuttl
Expand Down Expand Up @@ -284,6 +324,20 @@ tasks:
- task: :cluster:create
- ./bin/kubectl-kuttl test --config tests/e2e/kuttl/kube-v{{.KIND_CLUSTER_VERSION}}/kuttl.yaml
- task: :cluster:delete
e2e-tests:azurekms:
deps:
- :fetch:kuttl
- :fetch:kind
- :docker:build:proxy
- :docker:build:azurekms
- :docker:build:trousseau
cmds:
- task: :docker:run:proxy
- task: :docker:run:azurekms
- ENABLED_PROVIDERS="--enabled-providers=azurekms" task docker:run:trousseau
- task: :cluster:create
- ./bin/kubectl-kuttl test --config tests/e2e/kuttl/kube-v{{.KIND_CLUSTER_VERSION}}/kuttl.yaml
- task: :cluster:delete
e2e-tests:debug:
deps:
- :fetch:kuttl
Expand Down
5 changes: 4 additions & 1 deletion .task/prod.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ tasks:
- source {{.ENV_LOCATION}} ;
export $(echo "${!TR_*}") ;
for f in `cd deployment ; find docker-compose -type f`; do ./bin/envsubst -no-empty -i deployment/$f -o generated_manifests/$f; done ;
(cd generated_manifests/docker-compose ; docker compose -f docker-compose.yaml -f docker-compose.override.awskms.yaml -f docker-compose.override.vault.yaml config 1>/dev/null)
(cd generated_manifests/docker-compose ; docker compose -f docker-compose.yaml -f docker-compose.override.awskms.yaml -f docker-compose.override.azurekms.yaml -f docker-compose.override.vault.yaml config 1>/dev/null)
generate:kustomize:
desc: generate kustomize manifests
deps:
Expand All @@ -61,6 +61,7 @@ tasks:
- source {{.ENV_LOCATION}} ;
TR_ENABLED_PROVIDERS=$(echo ${TR_ENABLED_PROVIDERS} | sed "s/ --/\n - --/") ;
test -n "${TR_AWSKMS_CONFIG}" && TR_AWSKMS_CONFIG=$(cat ${TR_AWSKMS_CONFIG} 2>/dev/null | sed 's/^/ /') ;
test -n "${TR_AZUREKMS_CONFIG}" && TR_AZUREKMS_CONFIG=$(cat ${TR_AZUREKMS_CONFIG} 2>/dev/null | sed 's/^/ /') ;
export $(echo "${!TR_*}") ;
for f in `cd deployment ; find kustomize -type f`; do ./bin/envsubst -no-empty -i deployment/$f -o generated_manifests/$f; done ;
docker run --rm -v $PWD/generated_manifests/kustomize:/work -w /work nixery.dev/shell/kustomize/kubeval sh -c 'kustomize build | kubeval'
Expand All @@ -75,6 +76,8 @@ tasks:
- source {{.ENV_LOCATION}} ;
test -n "${TR_AWSKMS_CONFIG}" && cat ${TR_AWSKMS_CONFIG} | sed 's/^/ /' > generated_manifests/helm/awsconfig.yaml ;
TR_AWSKMS_CONFIG=awsconfig.yaml;
test -n "${TR_AZUREKMS_CONFIG}" && cat ${TR_AZUREKMS_CONFIG} | sed 's/^/ /' > generated_manifests/helm/azureconfig.yaml ;
TR_AZUREKMS_CONFIG=azureconfig.yaml;
TR_ENABLED_PROVIDERS=$(echo ${TR_ENABLED_PROVIDERS} | sed "s/ --/\n - --/") ;
export $(echo "${!TR_*}") ;
./bin/envsubst -no-empty -i deployment/helm/values.yaml -o generated_manifests/helm/values.yaml ;
Expand Down
Loading