From 120446dfca6878f2187aee41a083f1e9fd6981d7 Mon Sep 17 00:00:00 2001 From: Gorka Lerchundi Osa Date: Thu, 4 Jan 2024 23:50:49 +0100 Subject: [PATCH 1/3] workflow: first sample of the main.yaml workflow This PR adds the first sample of the main.yaml workflow --- .github/workflows/build.yaml | 384 ----------------------------------- .github/workflows/jira.yaml | 17 -- .github/workflows/main.yaml | 51 +++++ Dockerfile.build | 7 + build.env | 0 docker-compose.yaml | 23 +++ 6 files changed, 81 insertions(+), 401 deletions(-) delete mode 100644 .github/workflows/build.yaml delete mode 100644 .github/workflows/jira.yaml create mode 100644 .github/workflows/main.yaml create mode 100644 Dockerfile.build create mode 100644 build.env create mode 100644 docker-compose.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml deleted file mode 100644 index db08e63b..00000000 --- a/.github/workflows/build.yaml +++ /dev/null @@ -1,384 +0,0 @@ -name: build - -on: - push: - branches-ignore: - - 'docs/**' - workflow_dispatch: - inputs: - version: - description: "Version to build, e.g. 0.1.0" - type: string - required: false - -env: - PKG_NAME: "vault-secrets-operator" - -jobs: - get-product-version: - runs-on: ubuntu-latest - outputs: - product-version: ${{ steps.get-product-version.outputs.product-version }} - steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: get product version - id: get-product-version - run: | - VERSION="${{ github.event.inputs.version || '0.0.0-dev' }}" - echo "Using version ${VERSION}" - echo "product-version=${VERSION}" >> $GITHUB_OUTPUT - - build-pre-checks: - runs-on: ubuntu-latest - needs: get-product-version - outputs: - go-version: ${{ steps.setup-go.outputs.go-version }} - steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - id: setup-go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - go-version-file: .go-version - - name: go fmt - run: | - make check-fmt - - name: tf fmt - run: | - make check-tffmt - - name: go mod tidy - run: | - go mod tidy - test -z "$(git status --porcelain)" - - name: check versions - run: | - make check-versions VERSION=${{ needs.get-product-version.outputs.product-version }} - - name: generate manifests - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - make generate manifests - test -z "$(git status --porcelain)" - - generate-metadata-file: - needs: get-product-version - runs-on: ubuntu-latest - outputs: - filepath: ${{ steps.generate-metadata-file.outputs.filepath }} - steps: - - name: Checkout directory - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: Generate metadata file - id: generate-metadata-file - uses: hashicorp/actions-generate-metadata@v1 - with: - version: ${{ needs.get-product-version.outputs.product-version }} - product: ${{ env.PKG_NAME }} - repositoryOwner: "hashicorp" - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: metadata.json - path: ${{ steps.generate-metadata-file.outputs.filepath }} - - build: - name: Go ${{ needs.build-pre-checks.outputs.go-version }} linux ${{ matrix.arch }} build - needs: [get-product-version, build-pre-checks] - runs-on: ubuntu-latest - strategy: - matrix: - arch: ["arm64", "amd64"] - fail-fast: true - steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: Setup go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - go-version-file: .go-version - - name: Build - env: - GOOS: "linux" - GOARCH: ${{ matrix.arch }} - VERSION: ${{ needs.get-product-version.outputs.product-version }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - mkdir dist out - make ci-build - zip -r -j out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_linux_${{ matrix.arch }}.zip dist/${{ env.GOOS }}/${{ env.GOARCH }}/ - - name: Upload binaries - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_linux_${{ matrix.arch }}.zip - path: out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_linux_${{ matrix.arch }}.zip - - build-docker: - name: Docker ${{ matrix.arch }} build - needs: [get-product-version, build-pre-checks, build] - runs-on: ubuntu-latest - strategy: - matrix: - arch: ["arm64", "amd64"] - env: - repo: ${{github.event.repository.name}} - version: ${{needs.get-product-version.outputs.product-version}} - - steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: Docker Build (Action) - uses: hashicorp/actions-docker-build@v1 - env: - VERSION: ${{ needs.get-product-version.outputs.product-version }} - GO_VERSION: ${{ needs.build-pre-checks.outputs.go-version }} - with: - version: ${{env.version}} - target: release-default - arch: ${{matrix.arch}} - tags: | - docker.io/hashicorp/${{env.repo}}:${{env.version}} - public.ecr.aws/hashicorp/${{env.repo}}:${{env.version}} - - name: Check binary version in container - shell: bash - run: | - version_output=$(docker run hashicorp/${{env.repo}}:${{env.version}} --version --output=json) - echo $version_output - git_version=$(echo $version_output | jq -r .gitVersion) - - if [ "$git_version" != "${{ env.version }}" ]; then - echo "$gitVersion expected to be ${{ env.version }}" - exit 1 - fi - - build-docker-ubi-dockerhub: - name: UBI ${{ matrix.arch }} build for dockerhub - needs: [get-product-version, build-pre-checks, build] - runs-on: ubuntu-latest - strategy: - matrix: - arch: ["arm64", "amd64"] - env: - repo: ${{github.event.repository.name}} - version: ${{needs.get-product-version.outputs.product-version}} - image_tag: ${{needs.get-product-version.outputs.product-version}}-ubi - - steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: Docker Build (Action) - uses: hashicorp/actions-docker-build@v1 - env: - VERSION: ${{ needs.get-product-version.outputs.product-version }} - GO_VERSION: ${{ needs.build-pre-checks.outputs.go-version }} - with: - version: ${{env.version}} - target: release-ubi - arch: ${{matrix.arch}} - tags: | - docker.io/hashicorp/${{env.repo}}:${{env.image_tag}} - public.ecr.aws/hashicorp/${{env.repo}}:${{env.image_tag}} - - - name: Check binary version in container - shell: bash - run: | - version_output=$(docker run hashicorp/${{env.repo}}:${{env.image_tag}} --version --output=json) - echo $version_output - git_version=$(echo $version_output | jq -r .gitVersion) - - if [ "$git_version" != "${{ env.version }}" ]; then - echo "$gitVersion expected to be ${{ env.version }}" - exit 1 - fi - - build-docker-ubi-redhat-registry: - name: UBI ${{ matrix.arch }} build for redhat's registry (quay.io) - needs: [get-product-version, build-pre-checks, build] - runs-on: ubuntu-latest - strategy: - matrix: - # CRT does not support multi-arch images for redhat's registry - arch: ["amd64"] - env: - repo: ${{github.event.repository.name}} - version: ${{needs.get-product-version.outputs.product-version}} - image_tag: ${{needs.get-product-version.outputs.product-version}}-ubi - - steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - name: Docker Build (Action) - uses: hashicorp/actions-docker-build@v1 - env: - VERSION: ${{ needs.get-product-version.outputs.product-version }} - GO_VERSION: ${{ needs.build-pre-checks.outputs.go-version }} - with: - version: ${{env.version}} - target: release-ubi - arch: ${{matrix.arch}} - # The quay id here corresponds to the project id on RedHat's portal - redhat_tag: quay.io/redhat-isv-containers/64b072322e2773c28d30d988:${{env.image_tag}} - - - name: Check binary version in container - shell: bash - run: | - version_output=$(docker run quay.io/redhat-isv-containers/64b072322e2773c28d30d988:${{env.image_tag}} --version --output=json) - echo $version_output - git_version=$(echo $version_output | jq -r .gitVersion) - - if [ "$git_version" != "${{ env.version }}" ]; then - echo "$gitVersion expected to be ${{ env.version }}" - exit 1 - fi - - vault-versions: - runs-on: ubuntu-latest - steps: - - run: echo "setting vault versions" - outputs: - VAULT_N_2: 1.13.8 - VAULT_N_1: 1.14.4 - VAULT_N: 1.15.0 - - k8s-versions: - runs-on: ubuntu-latest - steps: - - run: echo "setting k8s versions" - outputs: - K8S_1_24: 1.24.15 - K8S_1_25: 1.25.11 - K8S_1_26: 1.26.6 - K8S_1_27: 1.27.3 - K8S_1_28: 1.28.0 - - integrationTest: - runs-on: ubuntu-latest - needs: [get-product-version, build-pre-checks, build-docker, vault-versions, k8s-versions] - env: - KIND_CLUSTER_NAME: vault-secrets-operator - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - VERSION: ${{ needs.get-product-version.outputs.product-version }} - OPERATOR_IMAGE: ${{ github.event.repository.name }}_release-default_linux_amd64_${{ needs.get-product-version.outputs.product-version }}_${{ github.sha }}.docker.tar - strategy: - fail-fast: false - matrix: - kind-k8s-version: - - "${{ needs.k8s-versions.outputs.K8S_1_24 }}" - - "${{ needs.k8s-versions.outputs.K8S_1_25 }}" - - "${{ needs.k8s-versions.outputs.K8S_1_26 }}" - - "${{ needs.k8s-versions.outputs.K8S_1_27 }}" - - "${{ needs.k8s-versions.outputs.K8S_1_28 }}" - vault-version: - - "${{ needs.vault-versions.outputs.VAULT_N_2 }}" - - "${{ needs.vault-versions.outputs.VAULT_N_1 }}" - - "${{ needs.vault-versions.outputs.VAULT_N }}" - installation-method: [helm, kustomize] - enterprise: [true, false] - # Note: We want to test the operator with the different k8s versions, - # and with the different vault versions, but we don't care about testing - # all the k8s versions against all the vault versions. - # Combos to exclude: - # kind-k8s-version: [K8S_1_24, K8S_1_25, K8S_1_26, K8S_1_27] - # vault-version: [VAULT_N_2, VAULT_N_1] - # We run kustomize ent against the full matrix, and other tests against vault version VAULT_N. - # Combos to exclude: - # vault-version: [VAULT_N_2, VAULT_N_1] - # any combos from installation-method and enterprise except for kustomize true - # TODO: When the VDS integration test supports Helm, test kustomize enterprise against one version of (ENT) Vault like the other tests. - # TODO: When the VDS integration test supports Helm, swap the matrix filter so helm ent test runs the full matrix. - exclude: - # vault version N-2 - - kind-k8s-version: ${{ needs.k8s-versions.outputs.K8S_1_27 }} - vault-version: ${{ needs.vault-versions.outputs.VAULT_N_2 }} - - kind-k8s-version: ${{ needs.k8s-versions.outputs.K8S_1_26 }} - vault-version: ${{ needs.vault-versions.outputs.VAULT_N_2 }} - - kind-k8s-version: ${{ needs.k8s-versions.outputs.K8S_1_25 }} - vault-version: ${{ needs.vault-versions.outputs.VAULT_N_2 }} - - kind-k8s-version: ${{ needs.k8s-versions.outputs.K8S_1_24 }} - vault-version: ${{ needs.vault-versions.outputs.VAULT_N_2 }} - - vault-version: ${{ needs.vault-versions.outputs.VAULT_N_2 }} - installation-method: helm - enterprise: true - - vault-version: ${{ needs.vault-versions.outputs.VAULT_N_2 }} - installation-method: helm - enterprise: false - - vault-version: ${{ needs.vault-versions.outputs.VAULT_N_2 }} - installation-method: kustomize - enterprise: false - # vault version N-1 - - kind-k8s-version: ${{ needs.k8s-versions.outputs.K8S_1_27 }} - vault-version: ${{ needs.vault-versions.outputs.VAULT_N_1 }} - - kind-k8s-version: ${{ needs.k8s-versions.outputs.K8S_1_26 }} - vault-version: ${{ needs.vault-versions.outputs.VAULT_N_1 }} - - kind-k8s-version: ${{ needs.k8s-versions.outputs.K8S_1_25 }} - vault-version: ${{ needs.vault-versions.outputs.VAULT_N_1 }} - - kind-k8s-version: ${{ needs.k8s-versions.outputs.K8S_1_24 }} - vault-version: ${{ needs.vault-versions.outputs.VAULT_N_1 }} - - vault-version: ${{ needs.vault-versions.outputs.VAULT_N_1 }} - installation-method: helm - enterprise: true - - vault-version: ${{ needs.vault-versions.outputs.VAULT_N_1 }} - installation-method: helm - enterprise: false - - vault-version: ${{ needs.vault-versions.outputs.VAULT_N_1 }} - installation-method: kustomize - enterprise: false - - name: vault:${{ matrix.vault-version }} kind:${{ matrix.kind-k8s-version }} ${{ matrix.installation-method }} enterprise=${{ matrix.enterprise }} - steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: ${{ env.OPERATOR_IMAGE }} - path: dist - - name: Create K8s Kind Cluster - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 - with: - version: v0.20.0 - cluster_name: ${{ env.KIND_CLUSTER_NAME }} - config: test/integration/kind/config.yaml - node_image: kindest/node:v${{ matrix.kind-k8s-version }} - - name: Create kind export log root - id: create_kind_export_log_root - run: | - vault_flavor=oss - if [ ${{ matrix.enterprise }} == 'true' ]; then - vault_flavor=ent - fi - log_artifact_name="kind-${{ env.KIND_CLUSTER_NAME}}-$(git rev-parse --short ${{ github.sha }})-${{ matrix.kind-k8s-version }}-${{ matrix.vault-version }}-${vault_flavor}-${{ matrix.installation-method }}-logs" - log_root="/tmp/${log_artifact_name}" - mkdir -p "${log_root}" - echo "log_root=${log_root}" >> $GITHUB_OUTPUT - echo "log_artifact_name=${log_artifact_name}" >> $GITHUB_OUTPUT - - name: Load Docker image - # Load the amd64 docker image from the build-docker job - run: - make docker-image-load load-docker-image IMAGE_ARCHIVE_FILE=dist/${{ env.OPERATOR_IMAGE }} - - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - go-version-file: .go-version - - name: ${{ matrix.installation-method }} enterprise=${{ matrix.enterprise }} - env: - INTEGRATION_TESTS: true - VAULT_IMAGE_TAG: ${{ matrix.vault-version }} - VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} - HCP_ORGANIZATION_ID: ${{ secrets.HCP_ORGANIZATION_ID }} - HCP_PROJECT_ID: ${{ secrets.HCP_PROJECT_ID }} - HCP_CLIENT_ID: ${{ secrets.HCP_CLIENT_ID }} - HCP_CLIENT_SECRET: ${{ secrets.HCP_CLIENT_SECRET }} - run: | - make_target=integration-test - if [ ${{ matrix.installation-method }} == 'helm' ]; then - make_target+='-helm' - fi - if [ ${{ matrix.enterprise }} == 'true' ]; then - make_target+='-ent' - export VAULT_IMAGE_TAG='${{ matrix.vault-version }}-ent' - fi - make $make_target SUPPRESS_TF_OUTPUT=true EXPORT_KIND_LOGS_ROOT=${{ steps.create_kind_export_log_root.outputs.log_root }} - - name: Store kind cluster logs - if: success() - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: ${{ steps.create_kind_export_log_root.outputs.log_artifact_name }} - path: ${{ steps.create_kind_export_log_root.outputs.log_root }} - - name: Store kind cluster logs failure - if: failure() - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: ${{ steps.create_kind_export_log_root.outputs.log_artifact_name }}-failed - path: ${{ steps.create_kind_export_log_root.outputs.log_root }} diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml deleted file mode 100644 index 0f73ec38..00000000 --- a/.github/workflows/jira.yaml +++ /dev/null @@ -1,17 +0,0 @@ -name: Jira Sync -on: - issues: - types: [opened, closed, deleted, reopened] - pull_request_target: - types: [opened, closed, reopened] - issue_comment: # Also triggers when commenting on a PR from the conversation view - types: [created] -jobs: - sync: - uses: hashicorp/vault-workflows-common/.github/workflows/jira.yaml@main - secrets: - JIRA_SYNC_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }} - JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }} - JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }} - with: - teams-array: '["ecosystem", "foundations-eco"]' diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml new file mode 100644 index 00000000..04d8c41b --- /dev/null +++ b/.github/workflows/main.yaml @@ -0,0 +1,51 @@ +name: "vault-secrets-operator build" + +on: + push: + branches: + - main + tags: + - '*' + pull_request: + branches: + - main + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + steps: + - uses: actions/checkout@v3 + - name: init + if: startsWith(github.ref, 'refs/tags/') + run: | + [[ $GITHUB_REF == refs/tags/* ]] && (echo "VERSION=$(echo ${GITHUB_REF#refs/*/} | sed -e 's/^[[v]]*//')" >> build.env) # if it's a tag, override VERSION variable + - name: prepare + run: | + docker compose up -d --build + - name: sanity-check + run: | + docker compose exec -T vault-secrets-operator make check-fmt + docker compose exec -T vault-secrets-operator go mod tidy + - name: build + run: docker compose exec -T vault-secrets-operator make ci-build ci-docker-build + - id: auth + name: authentication + if: startsWith(github.ref, 'refs/tags/') + uses: google-github-actions/auth@v1 + with: + token_format: access_token + workload_identity_provider: projects/965526508485/locations/global/workloadIdentityPools/github/providers/openid-connect + service_account: github-actions@salto-artifacts.iam.gserviceaccount.com + access_token_lifetime: '600s' + - name: release + if: startsWith(github.ref, 'refs/tags/') + run: | + docker compose exec -T vault-secrets-operator bash -c "echo '${{ steps.auth.outputs.access_token }}' | docker login -u oauth2accesstoken --password-stdin https://europe-docker.pkg.dev" + docker compose exec -T vault-secrets-operator make docker-push + - name: clean + run: | + docker compose exec -T vault-secrets-operator make clean + docker compose down -v diff --git a/Dockerfile.build b/Dockerfile.build new file mode 100644 index 00000000..2bf0a41b --- /dev/null +++ b/Dockerfile.build @@ -0,0 +1,7 @@ +FROM saltosystems/go-builder:31c0c2f + +ENV PKGPATH github.com/saltosystems/vault-secrets-operator + +# copy current workspace +WORKDIR ${GOPATH}/src/${PKGPATH} +COPY . ${GOPATH}/src/${PKGPATH} diff --git a/build.env b/build.env new file mode 100644 index 00000000..e69de29b diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 00000000..0d503b40 --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,23 @@ +version: "3.4" + +services: + docker-in-docker: + image: docker:dind + privileged: true + environment: + DOCKER_TLS_CERTDIR: + expose: + - 2375 + + vault-secrets-operator: + build: + context: . + dockerfile: Dockerfile.build + + image: vault-secrets-operator:build + environment: + DOCKER_HOST: tcp://docker-in-docker:2375 + IMAGE_TAG_BASE: europe-docker.pkg.dev/salto-artifacts/private-docker/vault-secrets-operator + env_file: + - build.env + tty: true From 7ba3571fb69597da266ff65a78dd5d4fc38b40e2 Mon Sep 17 00:00:00 2001 From: Gorka Lerchundi Osa Date: Thu, 4 Jan 2024 23:54:15 +0100 Subject: [PATCH 2/3] internal/credentials: make kubernetes auth service account namespaced This commit adds the ability to specify a namespace for the service account used to authenticate to Vault. This is useful when you want to use a service account in a different namespace than the one the secret (vaultStaticSecret, vaultDynamicSecret) is located. This change is backwards compatible, so if no namespace is specified, the service account will be looked up in the same namespace as the secret. Example: Here the service account that will be used to authenticate to Vault is the service account `default` that it is in the namespace "vault-secrets-operator-system". ```yaml apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultAuth metadata: name: static-auth namespace: app spec: vaultConnectionRef: vault-connection allowedNamespaces: - "*" method: kubernetes mount: demo-auth-mount kubernetes: role: role1 serviceAccount: vault-secrets-operator-system/default ``` Closes hashicorp/vault-secrets-operator#336 --- internal/common/common.go | 14 ++++++ internal/common/common_test.go | 57 ++++++++++++++++++++++++ internal/credentials/vault/kubernetes.go | 9 +++- 3 files changed, 78 insertions(+), 2 deletions(-) diff --git a/internal/common/common.go b/internal/common/common.go index 4d4de988..b6e85c7a 100644 --- a/internal/common/common.go +++ b/internal/common/common.go @@ -402,3 +402,17 @@ func NewSyncableSecretMetaData(obj ctrlclient.Object) (*SyncableSecretMetaData, return nil, fmt.Errorf("unsupported type %T", t) } } + +// GetKubernetesServiceAccountNamespacedName returns the NamespacedName for the Kubernetes VaultAuth's configured +// serviceAccount. +// If the serviceAccount is empty then defaults Namespace and Name will be returned. +func GetKubernetesServiceAccountNamespacedName(a *secretsv1beta1.VaultAuthConfigKubernetes, providerNamespace string) (types.NamespacedName, error) { + if a.ServiceAccount == "" && providerNamespace == "" { + return types.NamespacedName{}, fmt.Errorf("provider's default namespace is not set, this is a bug") + } + saRef, err := parseResourceRef(a.ServiceAccount, providerNamespace) + if err != nil { + return types.NamespacedName{}, err + } + return saRef, nil +} diff --git a/internal/common/common_test.go b/internal/common/common_test.go index e30351bf..1ee192e7 100644 --- a/internal/common/common_test.go +++ b/internal/common/common_test.go @@ -583,3 +583,60 @@ func TestGetHCPAuthForObj(t *testing.T) { }) } } + +func Test_GetKubernetesServiceAccountNamespacedName(t *testing.T) { + tests := []struct { + name string + a *secretsv1beta1.VaultAuthConfigKubernetes + providerNamespace string + want types.NamespacedName + wantErr assert.ErrorAssertionFunc + unsetDefaultsNS bool + }{ + { + name: "empty-sa-ref", + a: &secretsv1beta1.VaultAuthConfigKubernetes{ + ServiceAccount: "", + }, + providerNamespace: "test", + want: types.NamespacedName{ + Namespace: OperatorNamespace, + Name: consts.NameDefault, + }, + wantErr: assert.NoError, + }, + { + name: "with-sa-ref-with-ns", + a: &secretsv1beta1.VaultAuthConfigKubernetes{ + ServiceAccount: "foo/bar", + }, + providerNamespace: "baz", + want: types.NamespacedName{ + Name: "bar", + Namespace: "foo", + }, + wantErr: assert.NoError, + }, + { + name: "with-sa-ref-without-ns", + a: &secretsv1beta1.VaultAuthConfigKubernetes{ + ServiceAccount: "foo", + }, + providerNamespace: "baz", + want: types.NamespacedName{ + Namespace: "baz", + Name: "foo", + }, + wantErr: assert.NoError, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := GetKubernetesServiceAccountNamespacedName(tt.a, tt.providerNamespace) + if !tt.wantErr(t, err, fmt.Sprintf("getKubernetesServiceAccountNamespacedName(%v)", tt.a)) { + return + } + assert.Equalf(t, tt.want, got, "getKubernetesServiceAccountNamespacedName(%v)", tt.a) + }) + } +} diff --git a/internal/credentials/vault/kubernetes.go b/internal/credentials/vault/kubernetes.go index 830c1f42..75556574 100644 --- a/internal/credentials/vault/kubernetes.go +++ b/internal/credentials/vault/kubernetes.go @@ -12,6 +12,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/log" secretsv1beta1 "github.com/hashicorp/vault-secrets-operator/api/v1beta1" + "github.com/hashicorp/vault-secrets-operator/internal/common" "github.com/hashicorp/vault-secrets-operator/internal/helpers" ) @@ -56,9 +57,13 @@ func (l *KubernetesCredentialProvider) Init(ctx context.Context, client ctrlclie } func (l *KubernetesCredentialProvider) getServiceAccount(ctx context.Context, client ctrlclient.Client) (*corev1.ServiceAccount, error) { + a, err := common.GetKubernetesServiceAccountNamespacedName(l.authObj.Spec.Kubernetes, l.providerNamespace) + if err != nil { + return nil, err + } key := ctrlclient.ObjectKey{ - Namespace: l.providerNamespace, - Name: l.authObj.Spec.Kubernetes.ServiceAccount, + Namespace: a.Namespace, + Name: a.Name, } sa := &corev1.ServiceAccount{} if err := client.Get(ctx, key, sa); err != nil { From 403fc35ae769aea7b844590d1fff5069363b238e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Horcajo?= Date: Wed, 10 Jan 2024 13:03:40 +0100 Subject: [PATCH 3/3] *: Add repo update steps To avoid future problems with the repo, we need to add the steps to update the repo with the new changes from the upstream repo. --- UPDATE.md | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 UPDATE.md diff --git a/UPDATE.md b/UPDATE.md new file mode 100644 index 00000000..085f4c6d --- /dev/null +++ b/UPDATE.md @@ -0,0 +1,74 @@ +To update your forked repository with the latest changes from the original repository (upstream), you can follow these steps using the command line. Make sure you have Git installed on your machine. Here's a step-by-step guide: + +### Step 1: Set Up Upstream Remote (if not done previously) +If you haven't set up the upstream remote, add it: + +```bash +# Add the original repository as the upstream remote +git remote add upstream https://github.com/hashicorp/vault-secrets-operator.git +``` + +### Step 2: Create a Backup Branch + +```bash +# Assuming you are currently on your main branch +git branch release_ + +# This will create a new branch named 'release_' pointing to the same version tag as your current branch +``` + +### Step 3: Fetch the Latest tags from Upstream + +```bash +# Fetch the latest tags from upstream +git fetch upstream --tags +``` + +### Step 4: Create branch from tag + +```bash +# Assuming you are currently on your main branch +git branch upstream/ +``` + +### Step 5: Rebase + +Perform the rebase: + +```bash +# Rebase your main branch onto the new version tag +git rebase upstream/ + +# Resolve conflicts (if any) and continue the rebase +``` + + +### Step 6: Update the version tag + +```bash +# Update the version tag to point to the latest commit +git tag -f +``` + +### Step 7: Force push + +```bash +# Force push to your forked repository +git push origin main --force +``` + +### Step 8: In Case of Issues, Restore from Backup + +If something goes wrong or you need to revert the changes, you can easily switch back to the backup branch: + +```bash +# Switch to the backup branch +git checkout release_ + +# Force push the backup branch to restore it +git push origin release_ --force +``` + +This way, you always have a backup branch pointing to the state before the rebase and force push. If anything unexpected happens, you can quickly switch back to the backup branch. + +Please note that force-pushing and rewriting history can have implications, especially in a collaborative environment. It's crucial to communicate such actions with your team and follow any established best practices or guidelines.