Merge pull request #6 from TJM/chore/rename

chore: rename to vault-gcp-secrets

.github/workflows/lint.yaml

@@ -35,7 +35,7 @@ jobs:
           fi
 
       - name: Run chart-testing (lint)
-        run: ct lint
+        run: ct lint --excluded-charts vault-gcr-secrets
 
       - name: Docker Lint
         uses: luke142367/[email protected]

.github/workflows/test.yaml

@@ -50,25 +50,25 @@ jobs:
 
       - name: Build Docker Image for local testing
         run: |
-          docker build -t $KIND_REGISTRY/vault-gcr-secrets:test .
-          docker push $KIND_REGISTRY/vault-gcr-secrets:test
+          docker build -t $KIND_REGISTRY/vault-gcp-secrets:test .
+          docker push $KIND_REGISTRY/vault-gcp-secrets:test
 
       - name: Install Vault Service
         run: ./test/scripts/vault-install.sh
 
-      - name: Configure ${{ matrix.auth }} Vault authentication
-        run: ./test/scripts/vault-auth-${{ matrix.auth }}.sh
+      - name: Configure ${AUTH_METHOD} Vault authentication
+        run: ./test/scripts/vault-auth-${AUTH_METHOD}.sh
 
-      - name: Configure Vault ${{ matrix.auth }} Role
-        run: ./test/scripts/vault-role-${{ matrix.auth }}.sh
+      - name: Configure Vault ${AUTH_METHOD} Role
+        run: ./test/scripts/vault-role-${AUTH_METHOD}.sh
 
       - name: Setup GCP secrets engine
         id: gcp-secrets
         env:
           GCP_CREDENTIALS: ${{ secrets.GCP_TEST_ACCOUNT }}
         run: ./test/scripts/vault-gcp-secrets.sh
 
-      - name: Install vault-gcr-secrets
+      - name: Install vault-gcp-secrets
         run: ./test/scripts/install-chart.sh
 
       - name: Verify Secret

README.md

@@ -1,10 +1,12 @@
-# Vault GCR Secrets
+# Vault GCP Secrets
 
-Use vault agent to keep a `vault_gcp_secret_roleset` service account key updated as a
-docker-registry secret in Kubernetes. This can be used as `imagePullSecrets` to retrieve images
-from a private GCR.
+Use vault agent to keep a `vault_gcp_secrets_roleset` service account key updated as a
+Kubernetes secret, either for docker-registry or generic (Opaque). This can be used
+for various other pods needing access to Google Services without having a vault agent
+for each one. It can also be used as `imagePullSecrets` (for docker type) to retrieve
+images from a private GCR repository.
 
-NOTE: This is alpha quality, use it at your own risk.
+NOTE: We are using this code in the production environment. You may use it at your own risk.
 
 ## Prerequisites
 
@@ -13,10 +15,11 @@ NOTE: This is alpha quality, use it at your own risk.
 
 ## Installation
 
-* helm repo add vault-gcr-secrets https://tjm.github.io/vault-gcr-secrets/
+* helm repo add vault-gcp-secrets https://tjm.github.io/vault-gcp-secrets/
 * helm repo update
-* helm install vault-gcr-secrets/vault-gcr-secrets
+* helm install vault-gcp-secrets/vault-gcp-secrets
 
 NOTE: You will most likely need to set some values, like authentication method, path, etc.
 
-This chart was rougly based on the [vault-secrets-operator](https://github.com/ricoberger/vault-secrets-operator), which at the time was unable to support GCP secrets engine.
+This chart was rougly based on the [vault-secrets-operator](https://github.com/ricoberger/vault-secrets-operator),
+which at the time was unable to support GCP secrets engine.

charts/vault-gcp-secrets/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+name: vault-gcp-secrets
+description: Create and maintain Kubernetes secret from Vault GCP Secrets Engine with vault agent.
+home: https://github.com/TJM/vault-gcp-secrets
+# icon: https://raw.githubusercontent.com/TJM/vault-gcp-secrets/master/assets/logo.png
+maintainers:
+  - name: TJM  # Tommy McNeely
+version: 0.4.0
+appVersion: 0.4.0

charts/vault-gcr-secrets/README.md → charts/vault-gcp-secrets/README.md

@@ -1,16 +1,20 @@
-# Vault GCR Secrets
+# Vault GCP Secrets
 
-Use vault agent to keep a `vault_gcp_secret_roleset` service account key updated as a
-docker-registry secret in Kubernetes. This can be used as `imagePullSecrets` to retrieve images
-from a private GCR.
+Use vault agent to keep a `vault_gcp_secrets_roleset` service account key updated as a
+Kubernetes secret, either for docker-registry or generic (Opaque). This can be used
+for various other pods needing access to Google Services without having a vault agent
+for each one. It can also be used as `imagePullSecrets` (for docker type) to retrieve
+images from a private GCR repository.
+
+NOTE: We are using this code in the production environment. You may use it at your own risk.
 
 NOTE: This is alpha quality, use it at your own risk.
 
 | Value | Description | Default |
 | ----- | ----------- | ------- |
 | `replicaCount` | Number of replications which should be created. | `1` |
 | `deploymentStrategy` | Deployment strategy which should be used. | `{}` |
-| `image.repository` | The repository of the Docker image. | `quay.io/tommydavita/vault-gcr-secrets` |
+| `image.repository` | The repository of the Docker image. | `quay.io/tommydavita/vault-gcp-secrets` |
 | `image.tag` | The tag of the Docker image which should be used. | `1.15.2` |
 | `image.pullPolicy` | The pull policy for the Docker image, | `IfNotPresent` |
 | `image.volumeMounts` | Mount additional volumns to the container. | `[]` |
@@ -21,19 +25,19 @@ NOTE: This is alpha quality, use it at your own risk.
 | `vault.address` | The address where Vault listen on (e.g. `http://vault.example.com`). | `"http://vault:8200"` |
 | `vault.authMethod` | The authentication method, which should be used by the operator. Can be `kubernetes` ([Kubernetes auth method](https://www.vaultproject.io/docs/auth/kubernetes.html)), or `approle` ([AppRole auth method](https://www.vaultproject.io/docs/auth/approle)). | `kubernetes` |
 | `vault.kubernetesPath` | If the Kubernetes auth method is used, this is the path where the Kubernetes auth method is enabled. | `auth/kubernetes` |
-| `vault.kubernetesRole` | The name of the role which is configured for the Kubernetes auth method. | `vault-gcr-secrets` |
+| `vault.kubernetesRole` | The name of the role which is configured for the Kubernetes auth method. | `vault-gcp-secrets` |
 | `vault.appRolePath` | If the AppRole auth method is used, this is the path where the AppRole auth method is enabled. | `auth/approle` |
 | `vault.reconciliationTime` | The time after which the reconcile function for the CR is rerun. If the value is 0, automatic reconciliation is skipped. | `0` |
 | `rbac.create` | Create RBAC object, enable Role and Role binding creation. | `true` |
 | `rbac.createrole` | Finetune RBAC, enable or disable Role creation. NOTE: ignored when `rbac.create` is not `true`. | `true` |
 | `serviceAccount.create` | Create the service account. | `true` |
-| `serviceAccount.name` | The name of the service account, which should be created/used by the operator. | `vault-gcr-secrets` |
-| `podAnnotations` | Annotations for vault-gcr-secrets pod(s). | `{}` |
+| `serviceAccount.name` | The name of the service account, which should be created/used by the operator. | `vault-gcp-secrets` |
+| `podAnnotations` | Annotations for vault-gcp-secrets pod(s). | `{}` |
 | `podSecurityContext`: | Security context policies to add to the operator pod. | `{}` |
 | `securityContext`: | Security context policies to add to the containers. | `{}` |
-| `podLabels` | Additional labels for the vault-gcr-secrets pod(s). | `{}` |
-| `testPodAnnotations` | Annotations for vault-gcr-secrets-test-connection pod. | `{}` |
-| `testPodLabels` | Additional labels for the vault-gcr-secrets-test-connection pod. | `{}` |
+| `podLabels` | Additional labels for the vault-gcp-secrets pod(s). | `{}` |
+| `testPodAnnotations` | Annotations for vault-gcp-secrets-test-connection pod. | `{}` |
+| `testPodLabels` | Additional labels for the vault-gcp-secrets-test-connection pod. | `{}` |
 | `resources` | Set resources for the operator. | `{}` |
 | `volumes` | Provide additional volumns for the container. | `[]` |
 | `nodeSelector` | Set a node selector. | `{}` |

charts/vault-gcr-secrets/templates/NOTES.txt → charts/vault-gcp-secrets/templates/NOTES.txt

@@ -1,8 +1,8 @@
 1. Check the pod by running these commands:
 
-  kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "vault-gcr-secrets.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"
+  kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "vault-gcp-secrets.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"
 
 {{ if contains "kubernetes" .Values.vault.authMethod }}
-2. Configure Vault using the "{{ template "vault-gcr-secrets.serviceAccountName" . }}" ServiceAccount.
+2. Configure Vault using the "{{ template "vault-gcp-secrets.serviceAccountName" . }}" ServiceAccount.
 
 {{ end }}

charts/vault-gcr-secrets/templates/_helpers.tpl → charts/vault-gcp-secrets/templates/_helpers.tpl

@@ -2,7 +2,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "vault-gcr-secrets.name" -}}
+{{- define "vault-gcp-secrets.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
@@ -11,7 +11,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "vault-gcr-secrets.fullname" -}}
+{{- define "vault-gcp-secrets.fullname" -}}
 {{- if .Values.fullnameOverride -}}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
@@ -27,16 +27,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "vault-gcr-secrets.chart" -}}
+{{- define "vault-gcp-secrets.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{/*
 Common labels
 */}}
-{{- define "vault-gcr-secrets.labels" -}}
-app.kubernetes.io/name: {{ include "vault-gcr-secrets.name" . }}
-helm.sh/chart: {{ include "vault-gcr-secrets.chart" . }}
+{{- define "vault-gcp-secrets.labels" -}}
+app.kubernetes.io/name: {{ include "vault-gcp-secrets.name" . }}
+helm.sh/chart: {{ include "vault-gcp-secrets.chart" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- if .Values.podLabels }}
@@ -47,15 +47,15 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 matchLabels
 */}}
-{{- define "vault-gcr-secrets.matchLabels" -}}
-app.kubernetes.io/name: {{ include "vault-gcr-secrets.name" . }}
+{{- define "vault-gcp-secrets.matchLabels" -}}
+app.kubernetes.io/name: {{ include "vault-gcp-secrets.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{/*
 Additional pod annotations
 */}}
-{{- define "vault-gcr-secrets.annotations" -}}
+{{- define "vault-gcp-secrets.annotations" -}}
 {{- if .Values.podAnnotations }}
 {{- toYaml .Values.podAnnotations }}
 {{- end }}
@@ -64,7 +64,7 @@ Additional pod annotations
 {{/*
 Additional test-connection pod annotations
 */}}
-{{- define "vault-gcr-secrets.testPodAnnotations" -}}
+{{- define "vault-gcp-secrets.testPodAnnotations" -}}
 {{- if .Values.testPodAnnotations }}
 {{- toYaml .Values.testPodAnnotations }}
 {{- end }}
@@ -73,7 +73,7 @@ Additional test-connection pod annotations
 {{/*
 Additional test-connection pod labels
 */}}
-{{- define "vault-gcr-secrets.testPodLabels" -}}
+{{- define "vault-gcp-secrets.testPodLabels" -}}
 {{- if .Values.testPodLabels }}
 {{- toYaml .Values.testPodLabels }}
 {{- end }}
@@ -82,9 +82,9 @@ Additional test-connection pod labels
 {{/*
 Create the name of the service account to use.
 */}}
-{{- define "vault-gcr-secrets.serviceAccountName" -}}
+{{- define "vault-gcp-secrets.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create -}}
-    {{ default (include "vault-gcr-secrets.fullname" .) .Values.serviceAccount.name }}
+    {{ default (include "vault-gcp-secrets.fullname" .) .Values.serviceAccount.name }}
 {{- else -}}
     {{ default "default" .Values.serviceAccount.name }}
 {{- end -}}
@@ -93,5 +93,5 @@ Create the name of the service account to use.
 {{/*
 Additional containers to add to the deployment
 */}}
-{{- define "vault-gcr-secrets.additionalContainers" -}}
+{{- define "vault-gcp-secrets.additionalContainers" -}}
 {{- end -}}

charts/vault-gcr-secrets/templates/configmap.yaml → charts/vault-gcp-secrets/templates/configmap.yaml

@@ -1,13 +1,13 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ template "vault-gcr-secrets.fullname" . }}-config
+  name: {{ template "vault-gcp-secrets.fullname" . }}-config
   namespace: {{ .Release.Namespace }}
   labels:
-{{ include "vault-gcr-secrets.labels" . | indent 4 }}
+{{ include "vault-gcp-secrets.labels" . | indent 4 }}
   {{- if .Values.podAnnotations }}
   annotations:
-{{ include "vault-gcr-secrets.annotations" . | indent 4 }}
+{{ include "vault-gcp-secrets.annotations" . | indent 4 }}
   {{- end }}
 data:
   agent.hcl: |

charts/vault-gcr-secrets/templates/deployment.yaml → charts/vault-gcp-secrets/templates/deployment.yaml

@@ -1,14 +1,14 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "vault-gcr-secrets.fullname" . }}
+  name: {{ include "vault-gcp-secrets.fullname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-{{ include "vault-gcr-secrets.labels" . | indent 4 }}
+{{ include "vault-gcp-secrets.labels" . | indent 4 }}
   annotations:
     checksum/config-map: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
   {{- if .Values.podAnnotations }}
-{{ include "vault-gcr-secrets.annotations" . | indent 4 }}
+{{ include "vault-gcp-secrets.annotations" . | indent 4 }}
   {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
@@ -18,22 +18,22 @@ spec:
   {{- end }}
   selector:
     matchLabels:
-{{ include "vault-gcr-secrets.matchLabels" . | indent 6 }}
+{{ include "vault-gcp-secrets.matchLabels" . | indent 6 }}
   template:
     metadata:
       labels:
-{{ include "vault-gcr-secrets.labels" . | indent 8 }}
+{{ include "vault-gcp-secrets.labels" . | indent 8 }}
       annotations:
         checksum/config-map: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
       {{- if .Values.podAnnotations }}
-{{ include "vault-gcr-secrets.annotations" . | indent 8 }}
+{{ include "vault-gcp-secrets.annotations" . | indent 8 }}
       {{- end }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: {{ template "vault-gcr-secrets.serviceAccountName" . }}
+      serviceAccountName: {{ template "vault-gcp-secrets.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
@@ -85,11 +85,11 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-        {{- include "vault-gcr-secrets.additionalContainers" . | nindent 8 }}
+        {{- include "vault-gcp-secrets.additionalContainers" . | nindent 8 }}
       volumes:
         - name: vault-agent-config
           configMap:
-            name: {{ template "vault-gcr-secrets.fullname" . }}-config
+            name: {{ template "vault-gcp-secrets.fullname" . }}-config
         {{- if .Values.vault.credentialSecretName }}
         - name: vault-credentials
           secret:

charts/vault-gcr-secrets/templates/role-binding.yaml → charts/vault-gcp-secrets/templates/role-binding.yaml

@@ -2,17 +2,17 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ template "vault-gcr-secrets.fullname" . }}
+  name: {{ template "vault-gcp-secrets.fullname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-{{ include "vault-gcr-secrets.labels" . | indent 4 }}
+{{ include "vault-gcp-secrets.labels" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: vault-gcr-secrets
+  name: vault-gcp-secrets
 subjects:
   - apiGroup: ""
     kind: ServiceAccount
-    name: {{ template "vault-gcr-secrets.serviceAccountName" . }}
+    name: {{ template "vault-gcp-secrets.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
 {{ end }}

charts/vault-gcr-secrets/templates/role.yaml → charts/vault-gcp-secrets/templates/role.yaml

@@ -2,10 +2,10 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ template "vault-gcr-secrets.fullname" . }}
+  name: {{ template "vault-gcp-secrets.fullname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-{{ include "vault-gcr-secrets.labels" . | indent 4 }}
+{{ include "vault-gcp-secrets.labels" . | indent 4 }}
 rules:
 - apiGroups:
   - ""

charts/vault-gcr-secrets/templates/secret.yaml → charts/vault-gcp-secrets/templates/secret.yaml

@@ -6,5 +6,5 @@ metadata:
   name: {{ .Values.secret.name | quote }}
   namespace: {{ .Release.Namespace }}
   labels:
-{{ include "vault-gcr-secrets.labels" . | indent 4 }}
+{{ include "vault-gcp-secrets.labels" . | indent 4 }}
 type: {{ .Values.secret.type | quote }}

charts/vault-gcr-secrets/templates/service-account.yaml → charts/vault-gcp-secrets/templates/service-account.yaml

@@ -2,8 +2,8 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "vault-gcr-secrets.serviceAccountName" . }}
+  name: {{ template "vault-gcp-secrets.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-{{ include "vault-gcr-secrets.labels" . | indent 4 }}
+{{ include "vault-gcp-secrets.labels" . | indent 4 }}
 {{ end }}