Merge pull request #5 from TJM/chore/build-changes

chore: split lint and test

.github/workflows/lint.yaml

@@ -0,0 +1,45 @@
+name: Lint Chart and Dockerfile
+
+on: pull_request
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    env:
+      CT_TARGET_BRANCH: main
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+
+      - uses: actions/setup-python@v2
+        with:
+          python-version: 3.7
+
+      - name: Set up chart-testing
+        uses: helm/[email protected]
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+
+      - name: Run chart-testing (lint)
+        run: ct lint
+
+      - name: Docker Lint
+        uses: luke142367/[email protected]
+        with:
+          target: Dockerfile
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yaml

@@ -0,0 +1,85 @@
+name: Test Container and Helm Chart
+
+on: pull_request
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        auth:
+          - kubernetes
+          - approle
+        secretType:
+          - docker
+          - generic
+
+    env:
+      VAULT_ADDR: http://127.0.0.1:8200
+      VAULT_AUTH_NAMESPACE: kube-system
+      TARGET_NAMESPACE: gcp-secrets
+      AUTH_METHOD: ${{ matrix.auth }}
+      SECRET_TYPE: ${{ matrix.secretType }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+
+      - name: Setup Vault
+        run: |
+          curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
+          sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
+          sudo apt-get update && sudo apt-get install vault
+
+      - name: Create KIND cluster with Registry
+        # uses: helm/[email protected]
+        uses: container-tools/kind-action@v1
+
+      - name: Create Kubernetes namespace
+        id: kube-target-namespace
+        run: kubectl create namespace $TARGET_NAMESPACE
+
+      - name: Build Docker Image for local testing
+        run: |
+          docker build -t $KIND_REGISTRY/vault-gcr-secrets:test .
+          docker push $KIND_REGISTRY/vault-gcr-secrets:test
+
+      - name: Install Vault Service
+        run: ./test/scripts/vault-install.sh
+
+      - name: Configure ${{ matrix.auth }} Vault authentication
+        run: ./test/scripts/vault-auth-${{ matrix.auth }}.sh
+
+      - name: Configure Vault ${{ matrix.auth }} Role
+        run: ./test/scripts/vault-role-${{ matrix.auth }}.sh
+
+      - name: Setup GCP secrets engine
+        id: gcp-secrets
+        env:
+          GCP_CREDENTIALS: ${{ secrets.GCP_TEST_ACCOUNT }}
+        run: ./test/scripts/vault-gcp-secrets.sh
+
+      - name: Install vault-gcr-secrets
+        run: ./test/scripts/install-chart.sh
+
+      - name: Verify Secret
+        env:
+          SERVICE_ACCOUNT_EMAIL: ${{ steps.gcp-secrets.outputs.service_account_email }}
+        run: ./test/scripts/verify-secret.sh
+
+      - name: Show Pod Status and Logs
+        if: ${{ always() }}
+        run: ./test/scripts/end-collect-data.sh
+
+      - name: Cleanup GCP Roleset (service accounts)
+        if: ${{ always() }}
+        run: ./test/scripts/end-cleanup.sh

Dockerfile

@@ -3,7 +3,7 @@ ARG KUBECTL_VERSION="stable"
 
 # Add more dependencies
 RUN apk add  --no-cache jq bash curl openssl \
-    && [[ $KUBECTL_VERSION = "stable" ]] && KUBECTL_VERSION=$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt) \
+    && [ "${KUBECTL_VERSION}" = "stable" ] && KUBECTL_VERSION=$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt) \
     && curl -LO "https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" \
     && chmod +x ./kubectl \
     && mv ./kubectl /usr/local/bin/kubectl

README.md

@@ -9,7 +9,7 @@ NOTE: This is alpha quality, use it at your own risk.
 ## Prerequisites
 
 * Google Cloud Platform (GCP) Account setup with Vault
-* AppRole, Token or Kubernetes authentication to Vault
+* AppRole or Kubernetes authentication to Vault
 
 ## Installation
 

charts/vault-gcr-secrets/Chart.yaml

@@ -5,5 +5,5 @@ home: https://github.com/TJM/vault-gcr-secrets
 # icon: https://raw.githubusercontent.com/TJM/vault-gcr-secrets/master/assets/logo.png
 maintainers:
   - name: TJM  # Tommy McNeely
-version: 0.3.0
-appVersion: 0.3.0
+version: 0.3.1
+appVersion: 0.3.1

charts/vault-gcr-secrets/README.md

@@ -17,10 +17,9 @@ NOTE: This is alpha quality, use it at your own risk.
 | `imagePullSecrets` | Secrets which can be used to pull the Docker image. | `[]` |
 | `nameOverride` | Expand the name of the chart. | `""` |
 | `fullnameOverride` | Override the name of the app. | `""` |
-| `environmentVars` | Pass environment variables from a secret to the containers. This must be used if you use the Token auth method of Vault. | `[]` |
+| `environmentVars` | Pass environment variables from a secret to the containers. | `[]` |
 | `vault.address` | The address where Vault listen on (e.g. `http://vault.example.com`). | `"http://vault:8200"` |
-| `vault.authMethod` | The authentication method, which should be used by the operator. Can by `token` ([Token auth method](https://www.vaultproject.io/docs/auth/token.html)), `kubernetes` ([Kubernetes auth method](https://www.vaultproject.io/docs/auth/kubernetes.html)), or `approle` ([AppRole auth method](https://www.vaultproject.io/docs/auth/approle)). | `token` |
-| `vault.tokenPath` | Path to file with the Vault token if the used auth method is `token`. Can be used to read the token from a file and not from the  `VAULT_TOKEN` environment variable. | `""` |
+| `vault.authMethod` | The authentication method, which should be used by the operator. Can be `kubernetes` ([Kubernetes auth method](https://www.vaultproject.io/docs/auth/kubernetes.html)), or `approle` ([AppRole auth method](https://www.vaultproject.io/docs/auth/approle)). | `kubernetes` |
 | `vault.kubernetesPath` | If the Kubernetes auth method is used, this is the path where the Kubernetes auth method is enabled. | `auth/kubernetes` |
 | `vault.kubernetesRole` | The name of the role which is configured for the Kubernetes auth method. | `vault-gcr-secrets` |
 | `vault.appRolePath` | If the AppRole auth method is used, this is the path where the AppRole auth method is enabled. | `auth/approle` |

charts/vault-gcr-secrets/templates/configmap.yaml

@@ -72,6 +72,6 @@ data:
       --dry-run=client -o yaml | kubectl replace -f -
     {{- else }}
     kubectl create secret generic "{{ .Values.secret.name }}" \
-    --from-file={{ .Values.secret.key }}=/dev/shm/key.json \
-    --dry-run=client -o yaml | kubectl replace -f -
+      --from-file={{ .Values.secret.key }}=/dev/shm/key.json \
+      --dry-run=client -o yaml | kubectl replace -f -
     {{- end }}

charts/vault-gcr-secrets/templates/deployment.yaml

@@ -49,14 +49,6 @@ spec:
             - -config
             - /srv/vault-agent/agent.hcl
           env:
-            {{- if .Values.vault.address }}
-            - name: VAULT_ADDRESS
-              value: {{ .Values.vault.address | quote }}
-            {{- end }}
-            {{- if .Values.vault.tokenPath }}
-            - name: VAULT_TOKEN_PATH
-              value: {{ .Values.vault.tokenPath | quote }}
-            {{- end }}
             {{- with .Values.environmentVars }}
             {{- toYaml . | nindent 12 }}
             {{- end }}