Merge branch 'main' into feature/samaccountname-rules

stackabletech · Jul 26, 2024 · 29eae2c · 29eae2c
2 parents 7c23a34 + 4c324c7
commit 29eae2c
Show file tree

Hide file tree

Showing 12 changed files with 349 additions and 5 deletions.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -11,7 +11,7 @@
 # Author
 - [ ] Changes are OpenShift compatible
 - [ ] CRD changes approved
-- [ ] CRD documentation for all fields, following the [style guide](https://docs.stackable.tech/home/nightly/contributor/docs-style-guide).
+- [ ] CRD documentation for all fields, following the [style guide](https://docs.stackable.tech/home/nightly/contributor/docs/style-guide).
 - [ ] Helm chart can be installed and deployed operator works
 - [ ] Integration tests passed (for non trivial changes)
 - [ ] Changes need to be "offline" compatible
@@ -22,7 +22,7 @@
 - [ ] Code contains useful comments
 - [ ] Code contains useful logging statements
 - [ ] (Integration-)Test cases added
-- [ ] Documentation added or updated. Follows the [style guide](https://docs.stackable.tech/home/nightly/contributor/docs-style-guide).
+- [ ] Documentation added or updated. Follows the [style guide](https://docs.stackable.tech/home/nightly/contributor/docs/style-guide).
 - [ ] Changelog updated
 - [ ] Cargo.toml only contains references to git tags (not specific commits or branches)
 ```

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -368,7 +368,13 @@ jobs:
           make -e build
       - name: Publish Docker image and Helm chart
         if: ${{ !github.event.pull_request.head.repo.fork }}
-        run: make -e publish
+        run: |
+          # We want to publish helmcharts only once as they have a common name, while still publishing both images with architecture specific tags
+          if [ "$(uname -m)" = "x86_64" ]; then
+            make -e publish
+          else
+            make -e docker-publish
+          fi
         # Output the name of the published image to the Job output for later use
       - id: printtag
         name: Output image name and tag

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,9 +6,16 @@ All notable changes to this project will be documented in this file.
 
 ### Added
 
-- The associated configuration is now logged for each issued secret ([#413]).
 - Active Directory's `samAccountName` generation can now be customized ([#454]).
 
+[#454]: https://github.com/stackabletech/secret-operator/pull/454
+
+## [24.7.0] - 2024-07-24
+
+### Added
+
+- The associated configuration is now logged for each issued secret ([#413]).
+
 ### Changed
 
 - [BREAKING] The TLS CA Secret is now installed into the Namespace of the operator (typically `stackable-operators`), rather than `default` ([#397]).
@@ -31,7 +38,6 @@ All notable changes to this project will be documented in this file.
 [#403]: https://github.com/stackabletech/secret-operator/pull/403
 [#413]: https://github.com/stackabletech/secret-operator/pull/413
 [#440]: https://github.com/stackabletech/secret-operator/pull/440
-[#454]: https://github.com/stackabletech/secret-operator/pull/454
 [#467]: https://github.com/stackabletech/secret-operator/pull/467
 [#468]: https://github.com/stackabletech/secret-operator/pull/468
 [#470]: https://github.com/stackabletech/secret-operator/pull/470

diff --git a/deploy/helm/secret-operator/templates/secret_migration_job.yaml b/deploy/helm/secret-operator/templates/secret_migration_job.yaml
@@ -0,0 +1,55 @@
+---
+# Migrates the TLS CA keypair from the hard-coded default namespace to the operator namespace
+# See https://github.com/stackabletech/secret-operator/issues/453
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "operator.fullname" . }}-secret-migration
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded
+    "helm.sh/hook-weight": "-5"
+  labels:
+    {{- include "operator.labels" . | nindent 4 }}
+spec:
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "operator.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.image.pullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "operator.fullname" . }}-secret-migration-serviceaccount
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: migrate-secret
+        image: "{{ .Values.secretMigrationJob.image.repository }}:1.0.0-stackable24.7.0"
+        imagePullPolicy: {{ .Values.secretMigrationJob.image.pullPolicy }}
+        resources:
+            {{ .Values.secretMigrationJob.resources | toYaml | nindent 12 }}
+        command: ["bash", "-c"]
+        args:
+        - |
+          #!/bin/bash
+          set -euo pipefail
+          SOURCE_NAMESPACE=default
+          TARGET_NAMESPACE={{ .Values.secretClasses.tls.caSecretNamespace | default .Release.Namespace }}
+
+          # only continue if secret exists
+          if source_ca_secret="$(kubectl get secret -n $SOURCE_NAMESPACE secret-provisioner-tls-ca -o json)"; then
+            echo "secret exists in namespace $SOURCE_NAMESPACE"
+            # only continue if secret in target namespace does NOT exist
+            if ! kubectl get secret -n $TARGET_NAMESPACE secret-provisioner-tls-ca; then
+              echo "secret does not exist in namespace $TARGET_NAMESPACE"
+              # copy secret from default to {{ .Values.secretClasses.tls.caSecretNamespace | default .Release.Namespace }}
+              echo "$source_ca_secret" | jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid"])' | kubectl apply -n $TARGET_NAMESPACE -f -
+            fi
+          fi
+      restartPolicy: Never
diff --git a/deploy/helm/secret-operator/templates/secret_migration_rbac.yaml b/deploy/helm/secret-operator/templates/secret_migration_rbac.yaml
@@ -0,0 +1,56 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "operator.fullname" . }}-secret-migration-serviceaccount
+  labels:
+    {{- include "operator.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  {{- with .Values.serviceAccount.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "operator.fullname" . }}-secret-migration-clusterrolebinding
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  labels:
+    {{- include "operator.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "operator.fullname" . }}-secret-migration-serviceaccount
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "operator.fullname" . }}-secret-migration-clusterrole
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "operator.fullname" . }}-secret-migration-clusterrole
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  labels:
+  {{- include "operator.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - patch
+      - update
diff --git a/deploy/helm/secret-operator/values.yaml b/deploy/helm/secret-operator/values.yaml
@@ -5,6 +5,18 @@ image:
   pullPolicy: IfNotPresent
   pullSecrets: []
 
+secretMigrationJob:
+  image:
+    repository: docker.stackable.tech/stackable/tools
+    pullPolicy: IfNotPresent
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 100m
+      memory: 128Mi
+
 csiProvisioner:
   image:
     repository: docker.stackable.tech/k8s/sig-storage/csi-provisioner

diff --git a/docs/modules/secret-operator/examples/cert-manager/certificate.yaml b/docs/modules/secret-operator/examples/cert-manager/certificate.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: my-app-tls # <1>
+spec:
+  secretName: my-app-tls # <2>
+  secretTemplate:
+    labels:
+      secrets.stackable.tech/class: tls-cert-manager # <3>
+      secrets.stackable.tech/service: my-app # <4>
+  dnsNames:
+    - my-app # <5>
+  issuerRef:
+    kind: Issuer
+    name: secret-operator-demonstration # <6>
diff --git a/docs/modules/secret-operator/examples/cert-manager/issuer.yaml b/docs/modules/secret-operator/examples/cert-manager/issuer.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: secret-operator-demonstration # <1>
+spec:
+  ca:
+    secretName: secret-operator-demonstration-ca
+# Create a self-signed CA for secret-operator-demonstration to use
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: secret-operator-demonstration-ca
+spec:
+  secretName: secret-operator-demonstration-ca
+  isCA: true
+  commonName: Stackable Secret Operator/Cert-Manager Demonstration CA
+  issuerRef:
+    kind: Issuer
+    name: secret-operator-demonstration-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: secret-operator-demonstration-ca
+spec:
+  selfSigned: {}
diff --git a/docs/modules/secret-operator/examples/cert-manager/pod.yaml b/docs/modules/secret-operator/examples/cert-manager/pod.yaml
@@ -0,0 +1,71 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: my-app
+  template:
+    metadata:
+      labels:
+        app: my-app
+    spec:
+      containers:
+        - name: nginx
+          image: nginx
+          volumeMounts:
+            - name: tls
+              mountPath: /tls
+            - name: config
+              mountPath: /etc/nginx/conf.d
+          ports:
+            - name: https
+              containerPort: 443
+      volumes:
+        - name: tls # <1>
+          ephemeral:
+            volumeClaimTemplate:
+              metadata:
+                annotations:
+                  secrets.stackable.tech/class: tls-cert-manager # <2>
+                  secrets.stackable.tech/scope: service=my-app # <3>
+              spec:
+                storageClassName: secrets.stackable.tech
+                accessModes:
+                  - ReadWriteOnce
+                resources:
+                  requests:
+                    storage: "1"
+        - name: config
+          configMap:
+            name: my-app
+--- # <4>
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: my-app
+data:
+  default.conf: |
+    server {
+        listen 443 ssl;
+        ssl_certificate /tls/tls.crt;
+        ssl_certificate_key /tls/tls.key;
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+        }
+    }
+--- # <5>
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-app
+spec:
+  selector:
+    app: my-app
+  ports:
+    - name: https
+      port: 443
diff --git a/docs/modules/secret-operator/examples/cert-manager/secretclass.yaml b/docs/modules/secret-operator/examples/cert-manager/secretclass.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: SecretClass
+metadata:
+  name: tls-cert-manager # <1>
+spec:
+  backend:
+    k8sSearch:
+      searchNamespace:
+        pod: {} # <2>