diff --git a/.github/workflows/chart-publish.yaml b/.github/workflows/chart-publish.yaml index 9953813..2ed1960 100644 --- a/.github/workflows/chart-publish.yaml +++ b/.github/workflows/chart-publish.yaml @@ -75,6 +75,6 @@ jobs: if [ -z "${pkg:-}" ]; then break fi - helm push "${pkg}" oci://ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/charts |& tee .digest + helm push "${pkg}" oci://ghcr.io/pulumi/helm-charts |& tee .digest cosign sign -y $(cat .digest | awk -F "[, ]+" '/Pushed/{print $NF}') done diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 0000000..8947843 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,25 @@ +linters: + enable: + - deadcode + - errcheck + - goconst + - gofmt + - golint + - gosec + - govet + - ineffassign + - interfacer + - lll + - megacheck + - misspell + - nakedret + - structcheck + - unconvert + - varcheck + enable-all: false +run: + skip-files: + - schema.go + - pulumiManifest.go + timeout: 20m + diff --git a/.goreleaser.yaml b/.goreleaser.yaml index b54dfe0..2b7f03b 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -45,7 +45,7 @@ signs: output: true dockers: - - image_templates: [ "ghcr.io/dirien/{{ .ProjectName }}:{{ .Version }}-amd64" ] + - image_templates: [ "ghcr.io/pulumi/{{ .ProjectName }}:{{ .Version }}-amd64" ] dockerfile: Dockerfile use: buildx build_flag_templates: @@ -57,7 +57,7 @@ dockers: - --label=org.opencontainers.image.revision={{.FullCommit}} - --label=org.opencontainers.image.version={{.Version}} - --label=org.opencontainers.image.source={{.GitURL}} - - image_templates: [ "ghcr.io/dirien/{{ .ProjectName }}:{{ .Version }}-arm64" ] + - image_templates: [ "ghcr.io/pulumi/{{ .ProjectName }}:{{ .Version }}-arm64" ] goarch: arm64 dockerfile: Dockerfile use: buildx @@ -72,14 +72,14 @@ dockers: - --label=org.opencontainers.image.source={{.GitURL}} docker_manifests: - - name_template: 'ghcr.io/dirien/{{ .ProjectName }}:{{ .Version }}' + - name_template: 'ghcr.io/pulumi/{{ .ProjectName }}:{{ .Version }}' image_templates: - - 'ghcr.io/dirien/{{ .ProjectName }}:{{ .Version }}-amd64' - - 'ghcr.io/dirien/{{ .ProjectName }}:{{ .Version }}-arm64' - - name_template: 'ghcr.io/dirien/{{ .ProjectName }}:latest' + - 'ghcr.io/pulumi/{{ .ProjectName }}:{{ .Version }}-amd64' + - 'ghcr.io/pulumi/{{ .ProjectName }}:{{ .Version }}-arm64' + - name_template: 'ghcr.io/pulumi/{{ .ProjectName }}:latest' image_templates: - - 'ghcr.io/dirien/{{ .ProjectName }}:{{ .Version }}-amd64' - - 'ghcr.io/dirien/{{ .ProjectName }}:{{ .Version }}-arm64' + - 'ghcr.io/pulumi/{{ .ProjectName }}:{{ .Version }}-amd64' + - 'ghcr.io/pulumi/{{ .ProjectName }}:{{ .Version }}-arm64' docker_signs: diff --git a/README.md b/README.md index 4674865..6b31cdb 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,16 @@ -# Pulumi ESC Secret Store CSI Driver +# Pulumi ESC Secret Store CSI Driver - 🔒 + +Pulumi ESC for the [Secrets Store CSI driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver) will allow +you to mount Pulumi ESC secrets directly into your Kubernetes pods while not using k8s-native secretes in your +Kubernetes cluster. ## Getting Started +### Prerequisites + +- Kubernetes version >= 1.20 +- [Tilt](https://docs.tilt.dev/) (for local development) + ### Deploy Secret Store CSI Driver using Helm Secrets Store CSI Driver allows users to customize their installation via Helm. @@ -21,7 +30,21 @@ namespace. tilt up ``` -### Deploy Pulumi ESC Secret Store CSI Driver - production +### Deploy Pulumi ESC Secret Store CSI Driver - Kubernetes + +See [helm/README.md](chart/README.md) for instructions on how to deploy the Pulumi ESC Secret Store CSI Driver using +Helm. + +## License ⚖️ + +Apache License, Version 2.0 + +## Source Code + +* -See [helm/README.md](chart/README.md) for instructions on how to deploy the Pulumi ESC Secret Store CSI Driver using Helm. +## Maintainers +| Name | Email | Url | +| ---- | ------ | --- | +| dirien | | | diff --git a/Tiltfile b/Tiltfile index c153851..9c82669 100644 --- a/Tiltfile +++ b/Tiltfile @@ -6,7 +6,7 @@ helm_remote('secrets-store-csi-driver', docker_build( - 'ghcr.io/dirien/secrets-store-csi-driver-provider-pulumi-esc', + 'ghcr.io/pulumi/secrets-store-csi-driver-provider-pulumi-esc', context='.', dockerfile='./Dockerfile.tilt', live_update=[ diff --git a/chart/pulumi-esc-csi-provider/Chart.yaml b/chart/pulumi-esc-csi-provider/Chart.yaml index ff261c0..53c76db 100644 --- a/chart/pulumi-esc-csi-provider/Chart.yaml +++ b/chart/pulumi-esc-csi-provider/Chart.yaml @@ -4,7 +4,7 @@ description: A Helm chart for the Pulumi ESC CSI provider type: application -version: 0.1.4 +version: 0.1.5 appVersion: "0.1.0" maintainers: diff --git a/chart/pulumi-esc-csi-provider/README.md b/chart/pulumi-esc-csi-provider/README.md index 99bbf13..bbdb264 100644 --- a/chart/pulumi-esc-csi-provider/README.md +++ b/chart/pulumi-esc-csi-provider/README.md @@ -1,6 +1,6 @@ # Pulumi ESC Secret Store CSI Driver - Helm Chart -![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=for-the-badge) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=for-the-badge) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=for-the-badge) +![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=for-the-badge) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=for-the-badge) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=for-the-badge) ## Description 📜 @@ -11,7 +11,7 @@ A Helm chart for the Pulumi ESC CSI provider To install the chart using the OCI artifact, run: ```bash -helm install pulumi-esc-csi-provider oci://ghcr.io/dirien/charts/pulumi-esc-csi-provider --version 0.1.4 --namespace kube-system +helm install pulumi-esc-csi-provider oci://ghcr.io/pulumi/helm-charts/pulumi-esc-csi-provider --version 0.1.5 --namespace kube-system ``` After a few seconds, the `pulumi-esc-csi-provider` should be running. @@ -20,7 +20,7 @@ To install the chart in a specific namespace use following commands: ```bash kubectl create ns pulumi-esc-csi-provider -helm install pulumi-esc-csi-provider oci://ghcr.io/dirien/charts/pulumi-esc-csi-provider --namespace kube-system +helm install pulumi-esc-csi-provider oci://ghcr.io/pulumi/helm-charts/pulumi-esc-csi-provider --namespace kube-system ``` > **Tip**: List all releases using `helm list`, a release is a name used to track a specific deployment @@ -41,7 +41,7 @@ The command removes all the Kubernetes components associated with the chart and |-----|------|---------|-------------| | args[0] | string | `"-endpoint=/provider/pulumi.sock"` | | | image.pullPolicy | string | `"Always"` | | -| image.repository | string | `"ghcr.io/dirien/pulumi-esc-csi-provider"` | | +| image.repository | string | `"ghcr.io/pulumi/pulumi-esc-csi-provider"` | | | image.tag | string | `""` | | | labels | object | `{}` | | | livenessProbe.failureThreshold | int | `2` | | diff --git a/chart/pulumi-esc-csi-provider/README.md.gotmpl b/chart/pulumi-esc-csi-provider/README.md.gotmpl index 249341a..bf9fb17 100644 --- a/chart/pulumi-esc-csi-provider/README.md.gotmpl +++ b/chart/pulumi-esc-csi-provider/README.md.gotmpl @@ -11,7 +11,7 @@ To install the chart using the OCI artifact, run: ```bash -helm install pulumi-esc-csi-provider oci://ghcr.io/dirien/charts/pulumi-esc-csi-provider --version {{ .Version }} --namespace kube-system +helm install pulumi-esc-csi-provider oci://ghcr.io/pulumi/helm-charts/pulumi-esc-csi-provider --version {{ .Version }} --namespace kube-system ``` After a few seconds, the `pulumi-esc-csi-provider` should be running. @@ -20,7 +20,7 @@ To install the chart in a specific namespace use following commands: ```bash kubectl create ns pulumi-esc-csi-provider -helm install pulumi-esc-csi-provider oci://ghcr.io/dirien/charts/pulumi-esc-csi-provider --namespace kube-system +helm install pulumi-esc-csi-provider oci://ghcr.io/pulumi/helm-charts/pulumi-esc-csi-provider --namespace kube-system ``` > **Tip**: List all releases using `helm list`, a release is a name used to track a specific deployment diff --git a/chart/pulumi-esc-csi-provider/values.yaml b/chart/pulumi-esc-csi-provider/values.yaml index 5b902b1..8a40120 100644 --- a/chart/pulumi-esc-csi-provider/values.yaml +++ b/chart/pulumi-esc-csi-provider/values.yaml @@ -1,7 +1,7 @@ name: pulumi-esc-csi-provider namespace: kube-system image: - repository: ghcr.io/dirien/pulumi-esc-csi-provider + repository: ghcr.io/pulumi/pulumi-esc-csi-provider tag: '' pullPolicy: Always diff --git a/deployment/pulumi-esc-csi-provider.yaml b/deployment/pulumi-esc-csi-provider.yaml index 9b28e31..44d98b2 100644 --- a/deployment/pulumi-esc-csi-provider.yaml +++ b/deployment/pulumi-esc-csi-provider.yaml @@ -69,7 +69,7 @@ spec: containers: - name: secrets-store-csi-driver-provider-pulumi-esc - image: "ghcr.io/dirien/pulumi-esc-csi-provider:0.1.0" + image: "ghcr.io/pulumi/pulumi-esc-csi-provider:0.1.0" imagePullPolicy: Always resources: {} diff --git a/go.mod b/go.mod index 77ef32a..f1a7815 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/dirien/pulumi-esc-csi-provider +module github.com/pulumi/pulumi-esc-csi-provider go 1.23.1 diff --git a/internal/auth/auth.go b/internal/auth/auth.go index b941872..07881b7 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -1,4 +1,3 @@ -//go:generate mockgen -destination=mock_$GOPACKAGE/mock_$GOFILE -source=$GOFILE package auth import ( diff --git a/internal/config/config.go b/internal/config/config.go index 6e847aa..b594485 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -2,12 +2,12 @@ package config import ( "fmt" - "gopkg.in/yaml.v3" "os" "reflect" "strings" "github.com/go-playground/validator/v10" + "gopkg.in/yaml.v3" ) type Config struct { diff --git a/internal/server/server.go b/internal/server/server.go index 0024516..99cbe1a 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -5,8 +5,6 @@ import ( "encoding/json" "errors" "fmt" - "github.com/dirien/pulumi-esc-csi-provider/internal/provider" - "gopkg.in/yaml.v3" "log/slog" "net" "os" @@ -14,10 +12,12 @@ import ( "strings" "time" - "github.com/dirien/pulumi-esc-csi-provider/internal/auth" - "github.com/dirien/pulumi-esc-csi-provider/internal/config" "github.com/go-playground/validator/v10" + "github.com/pulumi/pulumi-esc-csi-provider/internal/auth" + "github.com/pulumi/pulumi-esc-csi-provider/internal/config" + "github.com/pulumi/pulumi-esc-csi-provider/internal/provider" "google.golang.org/grpc" + "gopkg.in/yaml.v3" "k8s.io/apimachinery/pkg/types" pb "sigs.k8s.io/secrets-store-csi-driver/provider/v1alpha1" ) @@ -118,14 +118,17 @@ func (p *PulumiESCProviderServer) Mount(ctx context.Context, req *pb.MountReques mountResponse.Error.Code = ErrorBadRequest return mountResponse, fmt.Errorf("failed to get credentials, error: %w", err) } - pulumiESCClint := provider.NewPulumiESCClient(credentials.Pat, mountConfig.APIURL, mountConfig.Project, mountConfig.Environment, mountConfig.Organization) - env, err := pulumiESCClint.EscClient.OpenEnvironment(pulumiESCClint.AuthCtx, mountConfig.Organization, mountConfig.Project, mountConfig.Environment) + pulumiESCClint := provider.NewPulumiESCClient(credentials.Pat, mountConfig.APIURL, mountConfig.Project, + mountConfig.Environment, mountConfig.Organization) + env, err := pulumiESCClint.EscClient.OpenEnvironment(pulumiESCClint.AuthCtx, mountConfig.Organization, + mountConfig.Project, mountConfig.Environment) if err != nil { return nil, err } secretMap := make(map[string]*secretItem) for _, secret := range mountConfig.Secrets { - val, _, err := pulumiESCClint.EscClient.ReadEnvironmentProperty(pulumiESCClint.AuthCtx, mountConfig.Organization, mountConfig.Project, mountConfig.Environment, env.GetId(), secret.SecretKey) + val, _, err := pulumiESCClint.EscClient.ReadEnvironmentProperty(pulumiESCClint.AuthCtx, + mountConfig.Organization, mountConfig.Project, mountConfig.Environment, env.GetId(), secret.SecretKey) if err != nil { return nil, err } @@ -162,7 +165,8 @@ func (p *PulumiESCProviderServer) Mount(ctx context.Context, req *pb.MountReques for _, value := range secretMap { files = append(files, &pb.File{Path: value.FileName, Mode: int32(mountConfig.FilePermission), Contents: value.Value}) ov = append(ov, &pb.ObjectVersion{Id: value.FileName, Version: value.Version}) - slog.Info(fmt.Sprintf("secret added to mount response, directory: %v, file: %v", mountConfig.TargetPath, value.FileName)) + slog.Info(fmt.Sprintf("secret added to mount response, directory: %v, file: %v", + mountConfig.TargetPath, value.FileName)) } return &pb.MountResponse{ diff --git a/main.go b/main.go index caf29c9..350d171 100644 --- a/main.go +++ b/main.go @@ -4,16 +4,18 @@ import ( "context" "flag" "fmt" - "github.com/dirien/pulumi-esc-csi-provider/internal/auth" - "github.com/dirien/pulumi-esc-csi-provider/internal/server" - "k8s.io/client-go/kubernetes" - "k8s.io/client-go/rest" "log" "net/http" "os" "os/signal" "strings" "syscall" + "time" + + "github.com/pulumi/pulumi-esc-csi-provider/internal/auth" + "github.com/pulumi/pulumi-esc-csi-provider/internal/server" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/rest" ) const figletStr = ` @@ -74,8 +76,9 @@ func main() { func startHealthCheck() chan error { mux := http.NewServeMux() ms := http.Server{ - Addr: fmt.Sprintf(":%s", *healthPort), - Handler: mux, + Addr: fmt.Sprintf(":%s", *healthPort), + Handler: mux, + ReadHeaderTimeout: 10 * time.Second, } errorCh := make(chan error)