Added the Helm chart for the Secrets Manager operator (#123)

* Added the Helm chart for the Secrets Manager operator * Some formatting changes requested by GitHub * Adding end-of-file carriage return suggested by GitHub * Removing the schema definition from the schema itself to match what we have in the other chart * Fixing an issue with the identity URL override * README and CRD description updates. * Updating to use GHCR * Adding optional image pull secrets * Adding missing properties to the values schema * Adding sm-operator to the build. Differentiating the versioning workflows for multiple charts. * Fixing sed statement for appVersion lookup * Adding the operator README to the root readme. Updating the .helmignore to include any test files and the README * Adding Dev Container for testing purposes. * Locking down affinity to only the architectures we currently support. These are the only ones we have static binaries for. * First attempt to allow tests with the Helm chart * Adding conditional in self-install test * Adding SM-operator tests * Testing the auth token secret creation * Adding workflow to production environment * Testing secret creation * Moving the test file to the workflows directory * Checking logs and adding sleep * Adding tail so I can see the logs * Trying without the quotes on the auth secret for now * Testing auth token length * Fixing auth token env variable setting * Adding some further tests * Adding a small wait * Fixing inverted logic * Improving logging layout * Adding newlines requested by GitHub * Apply suggestions from code review Co-authored-by: Vince Grassia <[email protected]> * Adding exectue permissions to postCreateCommand.sh * Including a small testing message around Docker Desktop/DevContainers * Fixing capitalization in values.yaml * Manually bumping the version to 0.1.0 * Removing the image pull secret from the test files. * Fixing linter error for trailing spaces * Fixing the tag on the test values file --------- Co-authored-by: Vince Grassia <[email protected]>
bitwarden · Jun 7, 2024 · 42435d8 · 42435d8
1 parent c91dbc5
commit 42435d8
Show file tree

Hide file tree

Showing 29 changed files with 1,377 additions and 10 deletions.
diff --git a/.devcontainer/common/devcontainer.json b/.devcontainer/common/devcontainer.json
@@ -0,0 +1,43 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/kubernetes-helm
+{
+	"name": "Bitwarden - Helm Charts Dev",
+	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+	"image": "mcr.microsoft.com/devcontainers/base:bookworm",
+	"runArgs": ["--network=host"], // needed for kind
+	"postCreateCommand": "sudo .devcontainer/common/postCreateCommand.sh",
+	"customizations": {
+		"vscode": {
+		  "extensions": [
+			"technosophos.vscode-helm",
+			"Tim-Koehler.helm-intellisense",
+			"ms-kubernetes-tools.vscode-kubernetes-tools",
+			"ms-azuretools.vscode-docker"
+		  ],
+		  "settings": {}
+		}
+	  },
+	"features": {
+		"ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
+			"runArgs": [
+				"--privileged"
+			]
+		},
+		"ghcr.io/meaningful-ooo/devcontainer-features/fish:1": {
+			"fisher": true
+		},
+		"ghcr.io/devcontainers-contrib/features/kind:1": {}
+	},
+	// "initializeCommand": "cd .devcontainer && bash ensure-mount-sources",
+	"mounts": [
+		"source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind"
+	],
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+	// Use 'postCreateCommand' to run commands after the container is created.
+	// "postCreateCommand": "kubectl version",
+	// Configure tool-specific properties.
+	// "customizations": {},
+	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+	"remoteUser": "root" // needed for kind: https://github.com/kubernetes-sigs/kind/issues/3196#issuecomment-1537260166
+}
diff --git a/.devcontainer/common/kind-config.yaml b/.devcontainer/common/kind-config.yaml
@@ -0,0 +1,17 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  kubeadmConfigPatches:
+  - |
+    kind: InitConfiguration
+    nodeRegistration:
+      kubeletExtraArgs:
+        node-labels: "ingress-ready=true"
+  extraPortMappings:
+  - containerPort: 80
+    hostPort: 80
+    protocol: TCP
+  - containerPort: 443
+    hostPort: 443
+    protocol: TCP
diff --git a/.devcontainer/common/postCreateCommand.sh b/.devcontainer/common/postCreateCommand.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+apt-get update
+apt-get install -y kubernetes-client  # kubectl
+curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+kind delete cluster --name helm-charts && kind create cluster --name helm-charts --config .devcontainer/common/kind-config.yaml
+
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,3 @@
+* text=auto eol=lf
+*.{cmd,[cC][mM][dD]} text eol=crlf
+*.{bat,[bB][aA][tT]} text eol=crlf
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -19,6 +19,7 @@ jobs:
       matrix:
         include:
           - chart_name: self-host
+          - chart_name: sm-operator
     steps:
       - name: Checkout repo
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

diff --git a/.github/workflows/config/sample-bw-secret.yaml b/.github/workflows/config/sample-bw-secret.yaml
@@ -0,0 +1,14 @@
+apiVersion: k8s.bitwarden.com/v1
+kind: BitwardenSecret
+metadata:
+  labels:
+    app.kubernetes.io/name: bitwardensecret
+    app.kubernetes.io/instance: bitwardensecret-sample
+    app.kubernetes.io/part-of: sm-operator
+  name: bitwardensecret-sample
+spec:
+  organizationId: "5a30c3dd-d7b9-4d32-8764-b06800c9e6ff"
+  secretName: bw-sample-secret
+  authToken:
+    secretName: bw-auth-token
+    secretKey: token
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -16,6 +16,7 @@ jobs:
   test:
     name: Test Helm charts
     runs-on: ubuntu-22.04
+    environment: Production
     steps:
       - name: Checkout repo
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
@@ -27,6 +28,18 @@ jobs:
         with:
           version: 'v3.13.1'
 
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve secrets
+        id: retrieve-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "helm-sm-operator-ci-test-access-token"
+
       - name: Set up lynx
         run: sudo apt install lynx
 
@@ -45,6 +58,7 @@ jobs:
           CHANGED=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
           if [[ -n "$CHANGED" ]]; then
             echo "changed=true" >> $GITHUB_OUTPUT
+            echo "changed-list=$CHANGED" >> $GITHUB_OUTPUT
           fi
 
       - name: Create kind cluster
@@ -107,12 +121,17 @@ jobs:
 
           kubectl create secret tls tls-secret --cert=bitwarden.localhost.pem --key=bitwarden.localhost.key
 
+          #Setup image pull secret
+          kubectl create secret -n bitwarden docker-registry ghcr-login-secret --docker-server=ghcr.io --docker-username=bitwarden-devops-bot --docker-password=${{ secrets.GITHUB_TOKEN }} --docker-email=106330231+bitwarden-devops-bot@users.noreply.github.com
+
+
+
       - name: Run chart-testing (install)
         if: steps.list-changed.outputs.changed == 'true'
         run: ct install --target-branch ${{ github.event.repository.default_branch }} --skip-clean-up --namespace bitwarden
 
-      - name: Test install
-        if: steps.list-changed.outputs.changed == 'true'
+      - name: Test install (self-host)
+        if: steps.list-changed.outputs.changed == 'true' && contains(steps.list-changed.outputs.changed-list,'self-host')
         run: |
           #For review purposes
           echo "*****DEPLOYMENTS*****"
@@ -175,6 +194,57 @@ jobs:
 
           echo "Admin OK."
 
+
+      - name: Test install (sm-operator)
+        if: steps.list-changed.outputs.changed == 'true' && contains(steps.list-changed.outputs.changed-list,'sm-operator')
+        run: |
+          #For review purposes
+          echo "*****DEPLOYMENTS*****"
+          kubectl get deployments
+
+          echo "*****PODS*****"
+          pods=$(kubectl get pods -l app.kubernetes.io/name=sm-operator | grep 2/2)
+          echo $pods
+
+          if [[ -z "$pods" ]]; then
+            echo "::error::No pods found."
+            exit 1
+          fi
+
+          echo "*****CREATING AUTH SECRET*****"
+          kubectl create secret generic bw-auth-token -n bitwarden --from-literal=token="$AUTH_TOKEN"
+          echo "*****CREATING BW SECRET*****"
+          kubectl apply -f .github/workflows/config/sample-bw-secret.yaml
+
+          # Sleeping while BitwardenSecret is being created and synced
+          sleep 2s
+
+          echo "*****LOGS*****"
+          logs=$(kubectl logs -l app.kubernetes.io/name=sm-operator -c manager)
+          echo "$logs"
+
+          completed=$(echo "$logs"| grep "Completed sync for bitwarden/bitwardensecret-sample")
+
+          if [[ -z "$completed" ]]; then
+            echo "::error::Secret did not sync."
+            exit 1
+          fi
+
+          echo "*****RESULTING SECRETS*****"
+          secrets=$(kubectl get secrets)
+          echo "$secrets"
+
+          secretCreated=$(echo "$secrets" | grep "bw-sample-secret                               Opaque                           3")
+
+          if [[ -z "$secretCreated" ]]; then
+            echo "::error::Secret not created correctly."
+            exit 1
+          fi
+
+          echo "*****OPERATOR OK*****"
+        env:
+          AUTH_TOKEN: ${{ steps.retrieve-secrets.outputs.helm-sm-operator-ci-test-access-token }}
+
       - name: Clean-up
         if: steps.list-changed.outputs.changed == 'true'
         run: |

diff --git a/.github/workflows/update-versions.yml → ...b/workflows/update-versions-self-host.yml b/.github/workflows/update-versions.yml → ...b/workflows/update-versions-self-host.yml
@@ -1,5 +1,5 @@
 ---
-name: Update Versions
+name: Update Versions - Self Host
 
 on:
   workflow_dispatch:
@@ -81,9 +81,9 @@ jobs:
           WEBVERSION: ${{ steps.get-web.outputs.version }}
         run: |
           echo "Checking..."
-          
+
           coreimages=( "admin" "api" "attachments" "events" "icons" "identity" "notifications" "scim" "sso" "mssqlmigratorutility" )
-          
+
           test_image() {
               image=$1
               version=$2
@@ -98,15 +98,15 @@ jobs:
           }
 
           echo "Core Images ($COREVERSION)..."
-          
+
           for key in "${!coreimages[@]}"
           do
               image=${coreimages[$key]}
               test_image $image $COREVERSION
           done
 
           echo "Web Image ($WEBVERSION)..."
-          
+
           test_image "web" $WEBVERSION
 
   update-versions:

diff --git a/.github/workflows/update-versions-sm-operator.yml b/.github/workflows/update-versions-sm-operator.yml
@@ -0,0 +1,112 @@
+---
+name: Update Versions - SM Operator
+
+on:
+  workflow_dispatch:
+
+env:
+  _BRANCH: main
+
+jobs:
+  setup:
+    name: Setup
+    runs-on: ubuntu-22.04
+    outputs:
+      operator_version: ${{ steps.operator-update.outputs.version }}
+      operator_version_update: ${{ steps.operator-update.outputs.update }}
+    steps:
+      - name: Checkout Branch
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ env._BRANCH }}
+
+      - name: Get Latest Operator Version
+        id: get-operator-version
+        run: |
+          image="sm-operator"
+          json=$(curl -s "https://registry.hub.docker.com/v2/repositories/bitwarden/$image/tags/")
+          digest=$(echo $json |jq '."results"[] | select(.name=="latest")["digest"]')
+          latestTag=$(echo $json | jq --argjson DIGEST $digest '."results"[] | select(.digest==$DIGEST) | select(.name != "latest")["name"]' | head -n 1)
+
+          echo "Operator Image ($latestTag)..."
+
+          echo "version=$latestTag" >> $GITHUB_OUTPUT
+
+      - name: Check if operator needs updating
+        id: operator-update
+        env:
+          LATEST_OPERATOR_VERSION: ${{ steps.get-operator-version.outputs.version }}
+        run: |
+          OPERATOR_VERSION=$(sed -nE 's/^appVersion:\s+([^\s]+)/\1/p' Chart.yaml)
+
+          echo "Operator Version: $OPERATOR_VERSION"
+          echo "Latest Operator Version: $LATEST_OPERATOR_VERSION"
+          if [ "$OPERATOR_VERSION" != "$LATEST_OPERATOR_VERSION" ]; then
+            echo "Needs Operator update!"
+            echo "update=1" >> $GITHUB_OUTPUT
+          else
+            echo "update=0" >> $GITHUB_OUTPUT
+          fi
+        working-directory: charts/sm-operator
+
+  update-versions:
+    name: "Update Versions"
+    if: needs.setup.outputs.operator_version_update == 1
+    runs-on: ubuntu-22.04
+    needs: setup
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout Branch
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ env._BRANCH }}
+
+      - name: Create Update Versions Branch
+        run: |
+          PR_BRANCH=update-versions-$GITHUB_RUN_ID
+          echo "PR_BRANCH=$PR_BRANCH" >> $GITHUB_ENV
+          git switch -c $PR_BRANCH
+          git push -u origin $PR_BRANCH
+
+      - name: Checkout Update Versions Branch
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ env.PR_BRANCH }}
+
+      - name: Update Chart appVersion
+        env:
+          VERSION: ${{ needs.setup.outputs.operator_version }}
+        run: "sed -i -e 's/appVersion:.*/appVersion: '$VERSION'/' Chart.yaml"
+        working-directory: charts/sm-operator
+
+      - name: Commit updated files
+        run: |
+          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --local user.name "github-actions[bot]"
+          git commit -m "Updated operator version" -a
+
+      - name: Push changes
+        run: git push -u origin $PR_BRANCH
+
+      - name: Create Update Versions PR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BASE_BRANCH: ${{ github.ref_name }}
+          TITLE: "Update operator version"
+        run: |
+          gh pr create --title "$TITLE" \
+            --base "$BASE_BRANCH" \
+            --head "$PR_BRANCH" \
+            --label "automated pr" \
+            --body "
+              ## Type of change
+              - [ ] Bug fix
+              - [ ] New feature development
+              - [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
+              - [ ] Build/deploy pipeline (DevOps)
+              - [X] Other
+
+              ## Objective
+              Automated version update to appVersion in charts/sm-operator/Chart.yaml"
diff --git a/.github/workflows/version-bump.yml → .github/workflows/version-bump-self-host.yml b/.github/workflows/version-bump.yml → .github/workflows/version-bump-self-host.yml
@@ -1,5 +1,5 @@
 ---
-name: Version Bump
+name: Version Bump - Self Host
 
 on:
   workflow_dispatch: