From dad3d638b553042d3095120c62ab05cfba661b4f Mon Sep 17 00:00:00 2001 From: Maurice Faber Date: Fri, 24 Dec 2021 11:22:59 +0100 Subject: [PATCH] fix: encryption (#700) --- chart/otomi/values.yaml | 13 ++++--- helmfile.d/snippets/derived.gotmpl | 2 +- helmfile.d/snippets/env.gotmpl | 2 +- src/cmd/bootstrap.test.ts | 8 +++- src/cmd/bootstrap.ts | 27 +++++++++++-- src/fixtures/bootstrap/values-full.yaml | 38 ------------------- src/test-stubs.ts | 12 ------ tests/fixtures/env/cluster.yaml | 2 +- tests/kind/env/cluster.yaml | 1 - tpl/.drone.yml.gotmpl | 1 - values-schema.yaml | 8 ++-- .../cluster-autoscaler.gotmpl | 2 +- 12 files changed, 45 insertions(+), 71 deletions(-) delete mode 100644 src/fixtures/bootstrap/values-full.yaml diff --git a/chart/otomi/values.yaml b/chart/otomi/values.yaml index efa17b41c5..508ca8988b 100644 --- a/chart/otomi/values.yaml +++ b/chart/otomi/values.yaml @@ -2,15 +2,16 @@ cluster: # domainSuffix: '' # Needs to be set when hasExternalDNS is set to true k8sVersion: '1.20' name: 'dev' - owner: '' provider: '' # provider can be one of aws|azure|google|onprem -otomi: + # owner: '' # will be set to 'otomi' if left empty +otomi: {} # adminPassword: '' # Will be automatically generated if not filled-in - # Set to true when using an external DNS zone. Use default (false) to get assigned a '*.nip.io' domain. - hasExternalDNS: false - # Set this to true, when you bring your own IDP such as Azure AD. Then you must also fill in the 'oidc:' settings below. When set to false Keycloak will become the IDP. + # Set hasExternalDNS to true when using an external DNS zone. Otherwise a '*.nip.io' domain will be created. + # hasExternalDNS: false + # Set hasExternalIDP to true,when you bring your own IDP such as Azure AD. When set to false Keycloak will become the IDP. + # NOTE: When this is set to true you must also fill in the 'oidc:' settings below. # hasExternalIDP: false - # by default the image tag is set to .Chart.AppVersion + # By default the image tag is set to .Chart.AppVersion # version: master charts: cert-manager: diff --git a/helmfile.d/snippets/derived.gotmpl b/helmfile.d/snippets/derived.gotmpl index 1d364422e7..d968084ae7 100644 --- a/helmfile.d/snippets/derived.gotmpl +++ b/helmfile.d/snippets/derived.gotmpl @@ -17,7 +17,7 @@ {{- $otomiTag = print "v" $otomiVersion }} {{- end }} {{- $versions = $versions | merge (dict "core" $otomiVersion) }} -# Domain suffix may not be present during initial deplyment stage +# Domain suffix may not be present during initial deployment stage {{- $domainSuffix := $v | get "cluster.domainSuffix" nil }} {{- $provider := $v.cluster.provider }} {{- $droneProvider := $c.drone.sourceControl.provider }} diff --git a/helmfile.d/snippets/env.gotmpl b/helmfile.d/snippets/env.gotmpl index e420cfcda9..c0489eaacc 100644 --- a/helmfile.d/snippets/env.gotmpl +++ b/helmfile.d/snippets/env.gotmpl @@ -2,7 +2,7 @@ {{- $teams := readFile (print $ENV_DIR "/env/teams.yaml") | fromYaml }} {{- $settings := readFile (print $ENV_DIR "/env/settings.yaml") | fromYaml }} {{- $teams := keys $teams.teamConfig.teams}} -{{- $hasSops := eq (exec "bash" (list "-c" "( test -f $ENV_DIR/.sops.yaml && echo 'true' ) || echo 'false'")) "true" }} +{{- $hasSops := eq (exec "bash" (list "-c" "( test -f $ENV_DIR/.sops.yaml && echo 'true' ) || echo 'false'") | trim) "true" }} {{- $charts := (exec "bash" (list "-c" "find $ENV_DIR/env/charts -name '*.yaml' -not -name 'secrets.*.yaml'")) | splitList "\n" }} {{- $chartsSecret := (exec "bash" (list "-c" "find $ENV_DIR/env/charts -name 'secrets.*.yaml'")) | splitList "\n" }} {{- $ext := ($hasSops | ternary ".dec" "") }} diff --git a/src/cmd/bootstrap.test.ts b/src/cmd/bootstrap.test.ts index fba7871a68..7fee75b673 100644 --- a/src/cmd/bootstrap.test.ts +++ b/src/cmd/bootstrap.test.ts @@ -54,11 +54,15 @@ describe('Bootstrapping values', () => { const res = await getStoredClusterSecrets(deps) expect(res).toEqual(undefined) }) - it('should set k8sContext if needed', async () => { + it('should set apiName, k8sContext and owner if needed', async () => { await bootstrapValues(deps) expect(deps.writeValues).toHaveBeenCalledWith( expect.objectContaining({ - cluster: { k8sContext: `otomi-${values.cluster.provider}-${values.cluster.name}` }, + cluster: expect.objectContaining({ + apiName: expect.any(String), + k8sContext: expect.any(String), + owner: expect.any(String), + }), }), true, ) diff --git a/src/cmd/bootstrap.ts b/src/cmd/bootstrap.ts index eb31e0f329..6872aa2f98 100644 --- a/src/cmd/bootstrap.ts +++ b/src/cmd/bootstrap.ts @@ -240,10 +240,29 @@ export const bootstrapValues = async ( return } const finalValues = (await deps.hfValues()) as Record - if (deps.isCli && !finalValues.cluster.k8sContext) { - const k8sContext = `otomi-${providerMap(finalValues.cluster.provider)}-${finalValues.cluster.name}` - deps.debug.info(`No value for cluster.k8sContext found, providing default one: ${k8sContext}`) - await deps.writeValues({ cluster: { k8sContext } }, true) + const { + cluster: { apiName, k8sContext, name, owner, provider }, + } = finalValues + // we can set defaults for the following 3 and some derived values + // that we want to end up in the files, so the api can access them + if (!k8sContext || !apiName || !owner) { + const add: Record = { cluster: {} } + const engine = providerMap(provider) + const defaultOwner = 'otomi' + const defaultName = `${owner || defaultOwner}-${engine}-${name}` + if (!apiName) { + deps.debug.info(`No value for cluster.apiName found, providing default one: ${defaultName}`) + add.cluster.apiName = defaultName + } + if (!k8sContext) { + deps.debug.info(`No value for cluster.k8sContext found, providing default one: ${defaultName}`) + add.cluster.k8sContext = defaultName + } + if (!owner) { + deps.debug.info(`No value for cluster.owner found, providing default one: ${defaultOwner}`) + add.cluster.owner = defaultOwner + } + await deps.writeValues(add, true) } await deps.genSops() if (deps.existsSync(`${ENV_DIR}/.sops.yaml`)) { diff --git a/src/fixtures/bootstrap/values-full.yaml b/src/fixtures/bootstrap/values-full.yaml deleted file mode 100644 index cc649ef30b..0000000000 --- a/src/fixtures/bootstrap/values-full.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# Source: helmfile-dump.yaml -charts: - cert-manager: - email: admins@redkubes.com - stage: production -cluster: - domainSuffix: dev.eks.otomi.cloud - k8sVersion: '1.21' - k8sContext: otomi-eks-dev - name: dev - owner: redkubes - provider: aws - region: eu-central-1 -dns: - provider: - aws: - region: eu-central-1 -kms: - sops: - aws: - accessKey: xx - secretKey: xx - keys: arn:aws:kms:eu-central-1:1234567890:key/xx+arn:aws:iam::1234567890:role/otomi-kms - provider: aws -oidc: - adminGroupID: xx - clientID: xx - clientSecret: xx - issuer: xx - teamAdminGroupID: xx -otomi: - adminPassword: bladibla - globalPullSecret: - username: otomi - password: xx - hasExternalDNS: true - hasExternalIDP: true - version: v0.14.45 diff --git a/src/test-stubs.ts b/src/test-stubs.ts index de7dfe3a00..c7d869466e 100644 --- a/src/test-stubs.ts +++ b/src/test-stubs.ts @@ -1,11 +1,5 @@ import { createMock } from 'ts-auto-mock' import { OtomiDebugger } from './common/debug' -import { loadYaml } from './common/utils' - -let valuesOverrides = {} -export const setValuesOverrides = (overrides: Record): void => { - valuesOverrides = overrides -} const stubs = { terminal: (): OtomiDebugger => @@ -16,11 +10,5 @@ const stubs = { warn: jest.fn(), error: jest.fn(), }), - utils: { - loadYaml: jest.fn(() => { - const minimalValues = loadYaml(`${process.cwd()}/src/fixtures/bootstrap/values-full.yaml`) - return { ...minimalValues, ...valuesOverrides } - }), - }, } export default stubs diff --git a/tests/fixtures/env/cluster.yaml b/tests/fixtures/env/cluster.yaml index f574606442..1182e944ca 100644 --- a/tests/fixtures/env/cluster.yaml +++ b/tests/fixtures/env/cluster.yaml @@ -1,6 +1,6 @@ cluster: apiName: eks_otomi-cloud_eu-central-1_otomi-eks-demo - apiServer: https://mycluster.otomi.io + apiServer: https://1.1.1.1:8443 domainSuffix: demo.eks.otomi.cloud k8sContext: otomi-eks-demo k8sVersion: '1.19' diff --git a/tests/kind/env/cluster.yaml b/tests/kind/env/cluster.yaml index 4c4d992043..aaba7473a3 100644 --- a/tests/kind/env/cluster.yaml +++ b/tests/kind/env/cluster.yaml @@ -3,5 +3,4 @@ cluster: k8sContext: kubernetes-admin@kind k8sVersion: '1.19' name: kind - owner: redkubes provider: kind diff --git a/tpl/.drone.yml.gotmpl b/tpl/.drone.yml.gotmpl index 45ec7bb4b6..d3214c68a6 100644 --- a/tpl/.drone.yml.gotmpl +++ b/tpl/.drone.yml.gotmpl @@ -22,7 +22,6 @@ trigger: environment: IN_DOCKER: '1' VERBOSITY: '1' - ENV_DIR: /home/app/stack/env steps: {{- if eq .provider "slack" }} diff --git a/values-schema.yaml b/values-schema.yaml index 6e527dd89b..00e801a644 100644 --- a/values-schema.yaml +++ b/values-schema.yaml @@ -226,7 +226,7 @@ definitions: $ref: '#/definitions/wordCharacterPattern' apiServer: description: Used by kubectl for local deployment to target cluster. - $ref: '#/definitions/url' + pattern: '^https:\/\/.*' domainSuffix: $ref: '#/definitions/domain' description: Domain suffix for the cluster. Also added to list of dns zones in the Otomi Console. @@ -2288,7 +2288,7 @@ properties: type: boolean hasExternalDNS: description: Set this to true when an external dns zone is available to manage dns records. (Expects required `dns:` fields to be set.) - default: true + default: false type: boolean hasExternalIDP: default: false @@ -2540,6 +2540,8 @@ properties: patternProperties: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$: $ref: '#/definitions/team' + version: + type: integer + description: DO NOT CHANGE! Holds the values-schema version. For more details, see `otomi migrate`. required: - cluster - - otomi diff --git a/values/cluster-autoscaler/cluster-autoscaler.gotmpl b/values/cluster-autoscaler/cluster-autoscaler.gotmpl index 0f64a76062..cf2ba1f264 100644 --- a/values/cluster-autoscaler/cluster-autoscaler.gotmpl +++ b/values/cluster-autoscaler/cluster-autoscaler.gotmpl @@ -9,7 +9,7 @@ image: {{- end }} repository: eu.gcr.io/k8s-artifacts-prod/autoscaling/cluster-autoscaler tag: v1.18.2 -{{ $map := readFile "../../helmfile.d/snippets/provider-engine-map.gotmpl" | fromYaml }} +{{- $map := readFile "../../helmfile.d/snippets/provider-engine-map.gotmpl" | fromYaml }} autoDiscovery: clusterName: {{ printf "%s-%s-%s" $v.cluster.owner (index $map $v.cluster.provider) $v.cluster.name }}