Upgrade to Python 3.10, add deployment via Flux

.github/workflows/ci.yml

@@ -1,3 +1,4 @@
+---
 name: CI
 
 on:
@@ -9,26 +10,24 @@ on:
 
 jobs:
   test:
-    # Combining linting into testing to save recreating workspace
     name: Test
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@master
-      - name: Install Python 3.8
+        uses: actions/checkout@v2
+      - name: Install Python 3.10
         uses: actions/setup-python@v2
         with:
-          python-version: '3.8'
-          architecture: 'x64'
+          python-version: '3.10'
       - name: Install Poetry
         run: |
-          pip install poetry
+          pip install poetry==1.2.0a2
       - name: Install dev dependencies
         run: poetry install
       - name: Run Black
         run: poetry run black --check keyvault2kube
       - name: Run isort
-        run: poetry run isort -c
+        run: poetry run isort -c keyvault2kube
       - name: Validated Kuberentes deployment
         uses: instrumenta/kubeval-action@master
         with:

Dockerfile

@@ -1,14 +1,12 @@
-FROM python:3.8-slim
-RUN pip install poetry
+FROM python:3.10-slim
+RUN pip install poetry==1.2.0a2
 WORKDIR /app
-COPY pyproject.toml poetry.lock /app/
-RUN poetry export -f requirements.txt > /requirements.txt
+ADD . .
+RUN poetry build
 
-FROM python:3.8-slim
-WORKDIR /app
-COPY --from=0 /requirements.txt /app/requirements.txt
-RUN pip install --require-hashes -r /app/requirements.txt
-COPY keyvault2kube /app/keyvault2kube
+FROM python:3.10-slim
+COPY --from=0 /app/dist/*.whl /
+RUN pip install keyvault2kube-*.*.*-py3-none-any.whl
 
 ENV PYTHONUNBUFFERED=1
 

README.md

@@ -7,6 +7,39 @@
 
 ## Deployment
 
+### Flux Deployment
+
+Deployment via Flux can be achieved with a kustomization similar to the below.
+
+```yaml
+bases:
+- github.com/terrycain/keyvault2kube/deploy?ref=2.1.0
+
+patches:
+  - target:
+      kind: Deployment
+    patch: |-
+      - op: replace
+        path: /spec/template/spec/containers/0/env
+        value:
+          - name: KEY_VAULT_URLS
+            value: https://bink-uksouth-dev-inf.vault.azure.net/
+  - target:
+      kind: AzureIdentity
+    patch: |-
+      - op: replace
+        path: /spec/resourceID
+        value: /subscriptions/abc123ab-abc1-def2-ghi3-abc123ab1231/resourceGroups/foogroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/bar
+  - target:
+      kind: AzureIdentity
+    patch: |-
+      - op: replace
+        path: /spec/clientID
+        value: a4e207e6-9d04-4a47-937d-a2bc32a18c00
+```
+
+### Manual Deployment
+
 Ideally the container should get KeyVault credentials from a managed service identity using something like the 
 `aad-pod-identity` project but it will also respect the env vars of `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET` and `AZURE_TENANT_ID`.
 

deploy/azureidentity.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentity
+metadata:
+  name: keyvault2kube
+  namespace: kube-system
+  annotations:
+    aadpodidentity.k8s.io/Behavior: namespaced
+spec:
+  type: 0
+  resourceID: /subscriptions/00000000-0000-0000-0000-00000000/resourceGroups/foo/providers/Microsoft.ManagedIdentity/userAssignedIdentities/bar
+  clientID: 00000000-0000-0000-0000-00000000
+---
+apiVersion: aadpodidentity.k8s.io/v1
+kind: AzureIdentityBinding
+metadata:
+  name: keyvault2kube
+  namespace: kube-system
+spec:
+  azureIdentity: keyvault2kube
+  selector: keyvault2kube

deploy/clusterrole.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: keyvault2kube
+rules:
+  - apiGroups: ['']
+    resources: [secrets]
+    verbs: [get, update, create, patch]
+  - apiGroups: ['']
+    resources: [namespaces]
+    verbs: [list]

deploy/clusterrolebinding.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: keyvault2kube
+subjects:
+  - kind: ServiceAccount
+    name: keyvault2kube
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: keyvault2kube
+  apiGroup: rbac.authorization.k8s.io

deploy/deploy.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keyvault2kube
+  namespace: kube-system
+  labels:
+    app: keyvault2kube
+spec:
+  selector:
+    matchLabels:
+      app: keyvault2kube
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: app
+      labels:
+        app: keyvault2kube
+        aadpodidbinding: keyvault2kube
+    spec:
+      serviceAccountName: keyvault2kube
+      containers:
+        - name: app
+          image: ghcr.io/terrycain/keyvault2kube:latest
+          env:
+            - name: KEY_VAULT_URLS
+              value: https://foo.vault.azure.net/
+          resources:
+            requests:
+              cpu: 100m
+              memory: 64Mi
+            limits:
+              cpu: 1000m
+              memory: 64Mi

deploy/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+resources:
+  - azureidentity.yaml
+  - clusterrole.yaml
+  - clusterrolebinding.yaml
+  - deploy.yaml
+  - serviceaccount.yaml
+
+namespace: kube-system

deploy/serviceaccount.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: keyvault2kube
+  namespace: kube-system