Merge pull request #67 from premiscale/PASS-5

PASS-5: Spin out CRDs into their own chart; update CRD to accept unique map of key: value pairs

.circleci/config.yml

@@ -132,6 +132,18 @@ workflows:
             tags:
               only: /^v?[0-9]+\.[0-9]+\.[0-9]+$/
 
+      - general/helm-release-nexus:
+          name: helm package crds [nexus]
+          context: nexus
+          repo: $HELM_REPOSITORY_URL
+          path: helm/operator-crds
+          version: $CIRCLE_TAG
+          filters:
+            branches:
+              ignore: /.*/
+            tags:
+              only: /^v?[0-9]+\.[0-9]+\.[0-9]+$/
+
       - general/helm-upgrade:
           name: helm upgrade [nexus]
           cluster: $CHELSEA_CLUSTER

.circleci/helm.operator-crds.yml

@@ -0,0 +1,71 @@
+version: 2.1
+
+
+orbs:
+  general: premiscale/[email protected]
+
+
+workflows:
+  helm-operator-crds:
+    jobs:
+      # develop
+
+      - general/helm-release-nexus:
+          name: helm build and push [helm/operator-crds] [develop]
+          context: nexus
+          repo: $HELM_DEVELOP_REPOSITORY_URL
+          path: helm/operator-crds
+          version: 0.0.<< pipeline.number >>
+          image-tag: 0.0.<< pipeline.number >>
+          filters:
+            branches:
+              ignore:
+                - master
+
+      - general/helm-upgrade:
+          name: helm upgrade install [helm/operator-crds] [develop]
+          cluster: $CHELSEA_CLUSTER
+          namespace: pass-operator-develop
+          repo: $HELM_DEVELOP_REPOSITORY_URL
+          install-name: pass-operator-crds
+          version: 0.0.<< pipeline.number >>
+          requires:
+            - helm build and push [helm/operator-crds] [develop]
+          context:
+            - kubeconfig
+            - nexus
+          filters:
+            branches:
+              ignore:
+                - master
+
+      # master
+
+      - general/helm-release-nexus:
+          name: helm build and push [helm/operator-crds] [master]
+          context: nexus
+          repo: $HELM_MASTER_REPOSITORY_URL
+          path: helm/operator-crds
+          version: 0.0.<< pipeline.number >>
+          image-tag: 0.0.<< pipeline.number >>
+          filters:
+            branches:
+              only:
+                - master
+
+      - general/helm-upgrade:
+          name: helm upgrade install [helm/operator-crds]
+          cluster: $CHELSEA_CLUSTER
+          namespace: pass-operator-develop
+          repo: $HELM_MASTER_REPOSITORY_URL
+          install-name: pass-operator-crds
+          version: 0.0.<< pipeline.number >>
+          requires:
+            - helm build and push [helm/operator-crds] [master]
+          context:
+            - kubeconfig
+            - nexus
+          filters:
+            branches:
+              only:
+                - master

.circleci/helm.yml

@@ -0,0 +1,19 @@
+version: 2.1
+
+
+orbs:
+  general: premiscale/[email protected]
+
+
+workflows:
+  helm:
+    jobs:
+      - general/helm-lint:
+          name: helm lint [<< matrix.chart-path >>]
+          matrix:
+            parameters:
+              chart-path:
+                - helm/operator
+                - helm/operator-crds
+            alias: helm-lint
+          chart-path: << matrix.chart-path >>

.circleci/src.yml

@@ -10,17 +10,18 @@ executors:
     docker:
       - image: cimg/python:3.10.11
 
+
 workflows:
   src:
     jobs:
       - general/python-pylint:
           name: pylint
-          modules_path: src/
           context: nexus
 
-      - general/helm-lint:
-          name: helm lint [helm/operator]
-          chart-path: helm/operator
+      - general/python-mypy:
+          name: mypy
+          executor: python-3-10
+          configuration_file: pyproject.toml
 
       # develop
 
@@ -32,6 +33,7 @@ workflows:
           pypirc-config: .pypirc
           requires:
             - pylint
+            - mypy
           filters:
             branches:
               ignore:

README.md

@@ -22,9 +22,8 @@ metadata:
   name: mysecret
   namespace: pass-operator-test
 spec:
-  data:
-    - key: mykey
-      path: premiscale/mydata
+  encryptedData:
+    mykey: premiscale/mydata
   managedSecret:
     name: mysecret
     namespace: pass-operator-test
@@ -41,7 +40,7 @@ metadata:
   name: mysecret
   namespace: pass-operator-test
 data:
-  mykey: <contents of premiscale/mydata>
+  mykey: <decrypted contents of premiscale/mydata>
 immutable: false
 type: Opaque
 ```

helm/operator-crds/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/operator-crds/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: pass-operator-crds
+description: Password store operator custom resource definitions (CRDs)
+type: application
+version: 1.0.0

helm/operator/crds/PassSecret.yaml → helm/operator-crds/templates/PassSecret.yaml

@@ -56,25 +56,17 @@ spec:
               description: PassSecretSpec defines the desired state of a PassSecret.
               type: object
               properties:
-                data:
+                encryptedData:
                   description: |+
                     Data to be contained in the secret.
-                  type: array
-                  minItems: 1
-                  items:
-                    type: object
-                    properties:
-                      key:
-                        description: Secret key to populate with data.
-                        type: string
-                        minLength: 1
-                      path:
-                        description: Define the path to the secret value in the remote git repository configured on the operator.
-                        type: string
-                        minLength: 1
-                    required:
-                      - key
-                      - path
+                  type: object
+                  minProperties: 1
+                  # I tried to get patternProperties to work (1/20/24), but my control plane insisted it was a forbidden field.
+                  # https://github.com/kubernetes/kubernetes/issues/59485#issuecomment-366600460
+                  # Using the work-around I've found in Bitnami's SealedSecrets CRD for now ~
+                  # https://github.com/bitnami-labs/sealed-secrets/blob/2ea6649b1e1cb13af055392bbe9b7699e13681d3/helm/sealed-secrets/crds/bitnami.com_sealedsecrets.yaml#L54
+                  additionalProperties:
+                    type: string
                 managedSecret:
                   description: Configure the managed Kubernetes secret object's fields.
                   type: object
@@ -110,7 +102,7 @@ spec:
                     - name
                     - namespace
               required:
-                - data
+                - encryptedData
                 - managedSecret
             status:
               description: Current state of the PassSecret on the Kubernetes cluster.

requirements.txt

@@ -280,9 +280,9 @@ idna==3.6 ; python_version >= "3.10" and python_version < "4.0" \
 iso8601==2.1.0 ; python_version >= "3.10" and python_version < "4.0" \
     --hash=sha256:6b1d3829ee8921c4301998c909f7829fa9ed3cbdac0d3b16af2d743aed1ba8df \
     --hash=sha256:aac4145c4dcb66ad8b648a02830f5e2ff6c24af20f4f482689be402db2429242
-kopf==1.36.2 ; python_version >= "3.10" and python_version < "4.0" \
-    --hash=sha256:801e84671145fd19d2a2fcbc4a934ae8f6cd3bca966fc437099f815f7ab11e84 \
-    --hash=sha256:bb5e63f9e2092d22abe28c0b43ababe36d216d8efa3411a36ffb40223dd55a44
+kopf==1.37.1 ; python_version >= "3.10" and python_version < "4.0" \
+    --hash=sha256:dbeafe715987705d6fb44a49a26ca065b9e537a85c654efa94a520c6d16509d5 \
+    --hash=sha256:f38829cb702d788ab536ecd51f10d83175b971874af1d6c8178a864cf9af4ece
 kubernetes==29.0.0 ; python_version >= "3.10" and python_version < "4.0" \
     --hash=sha256:ab8cb0e0576ccdfb71886366efb102c6a20f268d817be065ce7f9909c631e43e \
     --hash=sha256:c4812e227ae74d07d53c88293e564e54b850452715a59a927e7e1bc6b9a60459
@@ -380,25 +380,33 @@ python-json-logger==2.0.7 ; python_version >= "3.10" and python_version < "4.0"
     --hash=sha256:23e7ec02d34237c5aa1e29a070193a4ea87583bb4e7f8fd06d3de8264c4b2e1c \
     --hash=sha256:f380b826a991ebbe3de4d897aeec42760035ac760345e57b812938dc8b35e2bd
 pyyaml==6.0.1 ; python_version >= "3.10" and python_version < "4.0" \
+    --hash=sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5 \
     --hash=sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc \
+    --hash=sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df \
     --hash=sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741 \
     --hash=sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206 \
     --hash=sha256:18aeb1bf9a78867dc38b259769503436b7c72f7a1f1f4c93ff9a17de54319b27 \
     --hash=sha256:1d4c7e777c441b20e32f52bd377e0c409713e8bb1386e1099c2415f26e479595 \
     --hash=sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62 \
     --hash=sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98 \
     --hash=sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696 \
+    --hash=sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290 \
+    --hash=sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9 \
     --hash=sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d \
+    --hash=sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6 \
     --hash=sha256:4fb147e7a67ef577a588a0e2c17b6db51dda102c71de36f8549b6816a96e1867 \
     --hash=sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47 \
     --hash=sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486 \
     --hash=sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6 \
     --hash=sha256:596106435fa6ad000c2991a98fa58eeb8656ef2325d7e158344fb33864ed87e3 \
     --hash=sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007 \
     --hash=sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938 \
+    --hash=sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0 \
     --hash=sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c \
     --hash=sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735 \
     --hash=sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d \
+    --hash=sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28 \
+    --hash=sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4 \
     --hash=sha256:9046c58c4395dff28dd494285c82ba00b546adfc7ef001486fbf0324bc174fba \
     --hash=sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8 \
     --hash=sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5 \
@@ -413,7 +421,9 @@ pyyaml==6.0.1 ; python_version >= "3.10" and python_version < "4.0" \
     --hash=sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43 \
     --hash=sha256:c8098ddcc2a85b61647b2590f825f3db38891662cfc2fc776415143f599bb859 \
     --hash=sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673 \
+    --hash=sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54 \
     --hash=sha256:d858aa552c999bc8a8d57426ed01e40bef403cd8ccdd0fc5f6f04a00414cac2a \
+    --hash=sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b \
     --hash=sha256:f003ed9ad21d6a4713f0a9b5a7a0a79e08dd0f221aff4525a2be4c346ee60aab \
     --hash=sha256:f22ac1c3cac4dbc50079e965eba2c1058622631e526bd9afd45fedd49ba781fa \
     --hash=sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c \

src/passoperator/git.py

@@ -49,9 +49,9 @@ def clone(self) -> None:
             to_path=self.clone_location
         )
 
-        if self.branch not in self.repo.branches:
-            log.error(f'Branch "{self.branch}" not found in project at URL "{self.repo_url}"')
-            sys.exit(1)
+        # if self.branch not in self.repo.branches:
+        #     log.error(f'Branch "{self.branch}" not found in project at URL "{self.repo_url}"')
+        #     sys.exit(1)
 
         if str(self.repo.active_branch) != self.branch:
             self.repo.git.checkout(self.branch)