feat: add github actions for lint/test and release (#2)

Basic helm chart linting, and testing installation!

.github/workflows/lint-test.yaml

@@ -0,0 +1,124 @@
+name: Lint and Test Charts
+
+on: pull_request
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    env:
+      CT_TARGET_BRANCH: main
+      VAULT_ADDR: http://127.0.0.1:8200
+      MY_NAMESPACE: vault-gcr-secrets
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+
+      - uses: actions/setup-python@v2
+        with:
+          python-version: 3.7
+
+      - name: Setup Vault
+        run: |
+          curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
+          sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
+          sudo apt-get update && sudo apt-get install vault
+
+      - name: Set up chart-testing
+        uses: helm/[email protected]
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+
+      - name: Run chart-testing (lint)
+        run: ct lint
+
+      - name: Create KIND cluster with Registry
+        # uses: helm/[email protected]
+        uses: container-tools/kind-action@v1
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Install Vault Service
+        run: |
+          kubectl create namespace vault
+          helm repo add hashicorp https://helm.releases.hashicorp.com
+          helm upgrade --install vault hashicorp/vault \
+            --namespace=vault \
+            --version=0.18.0 \
+            --set server.dev.enabled=true \
+            --set injector.enabled=false
+          kubectl wait pod/vault-0 --namespace=vault  --for=condition=Ready --timeout=180s
+
+      - name: Configure vault for kubernetes authentication
+        env:
+          VAULT_AUTH_NAMESPACE: kube-system
+        run: |
+          kubectl port-forward --namespace vault vault-0 8200 &
+          sleep 10s
+          vault login root
+          kubectl create serviceaccount --namespace $VAULT_AUTH_NAMESPACE vault-auth
+          kubectl create clusterrolebinding vault-auth-kube \
+            --clusterrole system:auth-delegator \
+            --serviceaccount $VAULT_AUTH_NAMESPACE:vault-auth
+          VAULT_SECRET_NAME=$(kubectl get serviceaccount vault-auth \
+            --namespace $VAULT_AUTH_NAMESPACE \
+            --output jsonpath="{.secrets[*]['name']}")
+          SA_JWT_TOKEN=$(kubectl get secret $VAULT_SECRET_NAME \
+            --namespace $VAULT_AUTH_NAMESPACE \
+            --output 'go-template={{ .data.token }}' | base64 --decode)
+          SA_CA_CRT=$(kubectl config view --raw --minify --flatten \
+            --output 'jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)
+          vault auth enable kubernetes
+          vault write auth/kubernetes/config \
+            token_reviewer_jwt="$SA_JWT_TOKEN" \
+            kubernetes_host="https://kubernetes.default.svc" \
+            kubernetes_ca_cert="$SA_CA_CRT" \
+            issuer="https://kubernetes.default.svc.cluster.local"
+
+      - name: Setup GCP secrets engine
+        run: |
+          vault secrets enable gcp
+          vault write gcp/config credentials='${{ secrets.GCP_TEST_ACCOUNT }}'
+          vault write gcp/roleset/vault-gcr-secrets \
+            project="vault-gcr-secrets-6969" \
+            secret_type="service_account_key" \
+            bindings=-<<EOF
+            resource "//cloudresourcemanager.googleapis.com/projects/my-project" {
+              roles = ["roles/viewer"]
+            }
+          EOF
+
+      - name: Setup Vault GCR Secrets Policy and Role
+        run: |
+          cat <<EOF | vault policy write vault-gcr-secrets -
+          path "gcp/vault-gcr-secret/key" {
+            capabilities = ["read"]
+          }
+          EOF
+          vault write auth/kubernetes/role/vault-gcr-secrets \
+            bound_service_account_names="vault-gcr-secrets" \
+            bound_service_account_namespaces="$MY_NAMESPACE" \
+            policies=vault-gcr-secrets ttl=24h
+
+      - name: Install vault-gcr-secrets
+        run: |
+          kubectl create namespace "$MY_NAMESPACE"
+          helm upgrade --install vault-gcr-secrets ./charts/vault-gcr-secrets \
+            --namespace "$MY_NAMESPACE" \
+            --set vault.address="http://vault.vault.svc.cluster.local:8200" \
+            --set vault.authMethod=kubernetes \
+            --set vault.authMountPath=auth/kubernetes \
+            --set vault.kubernetesRole=vault-gcr-secrets \
+            --set vault.gcpSecretPath=gcp/vault-gcr-secret/key

.github/workflows/release.yaml

@@ -0,0 +1,30 @@
+name: Release Charts
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

README.md

@@ -5,3 +5,18 @@ docker-registry secret in Kubernetes. This can be used as `imagePullSecrets` to
 from a private GCR.
 
 NOTE: This is alpha quality, use it at your own risk.
+
+## Prerequisites
+
+* Google Cloud Platform (GCP) Account setup with Vault
+* AppRole, Token or Kubernetes authentication to Vault
+
+## Installation
+
+* helm repo add vault-gcr-secrets https://tjm.github.io/vault-gcr-secrets/
+* helm repo update
+* helm install vault-gcr-secrets/vault-gcr-secrets
+
+NOTE: You will most likely need to set some values, like authentication method, path, etc.
+
+This chart was rougly based on the [vault-secrets-operator](https://github.com/ricoberger/vault-secrets-operator), which at the time was unable to support GCP secrets engine.

charts/vault-gcr-secrets/Chart.yaml

@@ -1,10 +1,9 @@
 apiVersion: v1
-appVersion: 0.1.7
+name: vault-gcr-secrets
 description: Create Kubernetes Docker-Registry secrets from Vault GCP Secrets Engine to access GCR.
 home: https://github.com/TJM/vault-gcr-secrets
-#icon: https://raw.githubusercontent.com/ricoberger/vault-gcr-secrets/master/assets/logo.png
+# icon: https://raw.githubusercontent.com/TJM/vault-gcr-secrets/master/assets/logo.png
 maintainers:
-  - name: Tommy McNeely
-    #url:
-name: vault-gcr-secrets
-version: 0.1.7
+  - name: TJM  # Tommy McNeely
+version: 0.1.8
+appVersion: 0.1.8