diff --git a/.changes/v1.1.2.md b/.changes/v1.1.2.md index ae24663..08467a1 100644 --- a/.changes/v1.1.2.md +++ b/.changes/v1.1.2.md @@ -54,4 +54,4 @@ - Merge pull request #4 from DelineaXPM/fix-3 (2022-06-28) - Merge pull request #1 from DelineaXPM/delineaKrehl-DeepRebrand (2022-06-02) - Fix for #13 that improves injector error handling. (#14) (2022-05-20) -] + ] diff --git a/.changie.yaml b/.changie.yaml index 49897b0..6ddd4cb 100644 --- a/.changie.yaml +++ b/.changie.yaml @@ -7,12 +7,12 @@ versionFormat: '## {{.Version}} - {{.Time.Format "2006-01-02"}}' kindFormat: '### {{.Kind}}' changeFormat: '* {{.Body}}' kinds: -- label: Added -- label: Changed -- label: Deprecated -- label: Removed -- label: Fixed -- label: Security + - label: Added + - label: Changed + - label: Deprecated + - label: Removed + - label: Fixed + - label: Security newlines: afterChangelogHeader: 1 beforeChangelogVersion: 1 diff --git a/.github/ISSUE_TEMPLATE/FEATURE_REQUEST_TEMPLATE.md b/.github/ISSUE_TEMPLATE/FEATURE_REQUEST_TEMPLATE.md deleted file mode 100644 index 75b0536..0000000 --- a/.github/ISSUE_TEMPLATE/FEATURE_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -name: Feature request -about: If you have a feature or enhancement request ---- - -## Feature / Enhancement proposed - -_What capability would you like to add? Is it something you currently you cannot do? Is this related to an issue/problem?_ - -## Workarounds - -Can you achieve the same result doing it in an alternative way? - -## Has the feature been requested before? - -_If yes, Please provide a link to relevant issues and PRs._ - -## If the feature request is approved, would you be willing to submit a PR? - -_(Help can be provided if you need assistance submitting a PR)_ - -[] Yes [] No diff --git a/.github/ISSUE_TEMPLATE/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE/ISSUE_TEMPLATE.md deleted file mode 100644 index 5783182..0000000 --- a/.github/ISSUE_TEMPLATE/ISSUE_TEMPLATE.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -name: Bug report -about: For reporting bugs and other general issues. ---- - -**Description of the issue** - -Describe your issue here. - -**Expected behaviour** - -Tell us what _should_ happen - -**Actual behavior** - -Tell us what _actually_ happens - -**Your environment** - -Tell us more about your environment; such as, What OS are you running? What version of _pluginName_ are you using? Etc. - -**Steps to reproduce** - -Tell us how to reproduce this issue. Please include code examples as necessary. diff --git a/.github/PULL_REQUEST_TEMPLATE/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE/PULL_REQUEST_TEMPLATE.md deleted file mode 100644 index 85fb5e7..0000000 --- a/.github/PULL_REQUEST_TEMPLATE/PULL_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,35 +0,0 @@ ---- -name: Pull request -about: If you have a pull request to fix a bug or add a feature ---- - -## Pull request checklist - -Please check if your PR fulfills the following requirements: - -- [ ] You have read the contributing guide -- [ ] Tests for the changes have been added -- [ ] The documentation has been reviewed and updated as needed - -## What is the current behavior? - -_Please describe the current behavior that you are modifying, and link its a relevant issue_ - -Issue Number: _Add the issue number this PR address here._ - -## What is the new behavior? - -- -- -- - -## Does this introduce a breaking change? - -- [ ] Yes -- [ ] No - -**If yes, please describe...** - -## Other relevant information - -_e.g. does this PR require another PR to be merged first?_ \ No newline at end of file diff --git a/.gitleaks.toml b/.gitleaks.toml index 9e6b64e..11688b5 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -2,164 +2,161 @@ title = "gitleaks config" [[rules]] - description = "AWS Access Key" - regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''' - tags = ["key", "AWS"] +description = "AWS Access Key" +regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''' +tags = ["key", "AWS"] [[rules]] - description = "AWS cred file info" - regex = '''(?i)(aws_access_key_id|aws_secret_access_key)(.{0,20})?=.[0-9a-zA-Z\/+]{20,40}''' - tags = ["AWS"] +description = "AWS cred file info" +regex = '''(?i)(aws_access_key_id|aws_secret_access_key)(.{0,20})?=.[0-9a-zA-Z\/+]{20,40}''' +tags = ["AWS"] [[rules]] - description = "AWS Secret Key" - regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]''' - tags = ["key", "AWS"] +description = "AWS Secret Key" +regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]''' +tags = ["key", "AWS"] [[rules]] - description = "AWS MWS key" - regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''' - tags = ["key", "AWS", "MWS"] +description = "AWS MWS key" +regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''' +tags = ["key", "AWS", "MWS"] [[rules]] - description = "Facebook Secret Key" - regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]''' - tags = ["key", "Facebook"] +description = "Facebook Secret Key" +regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]''' +tags = ["key", "Facebook"] [[rules]] - description = "Facebook Client ID" - regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]''' - tags = ["key", "Facebook"] +description = "Facebook Client ID" +regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]''' +tags = ["key", "Facebook"] [[rules]] - description = "Twitter Secret Key" - regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]''' - tags = ["key", "Twitter"] +description = "Twitter Secret Key" +regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]''' +tags = ["key", "Twitter"] [[rules]] - description = "Twitter Client ID" - regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]''' - tags = ["client", "Twitter"] +description = "Twitter Client ID" +regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]''' +tags = ["client", "Twitter"] [[rules]] - description = "Github" - regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]''' - tags = ["key", "Github"] +description = "Github" +regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]''' +tags = ["key", "Github"] [[rules]] - description = "LinkedIn Client ID" - regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]''' - tags = ["client", "LinkedIn"] +description = "LinkedIn Client ID" +regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]''' +tags = ["client", "LinkedIn"] [[rules]] - description = "LinkedIn Secret Key" - regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]''' - tags = ["secret", "LinkedIn"] +description = "LinkedIn Secret Key" +regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]''' +tags = ["secret", "LinkedIn"] [[rules]] - description = "Slack" - regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?''' - tags = ["key", "Slack"] +description = "Slack" +regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?''' +tags = ["key", "Slack"] [[rules]] - description = "EC" - regex = '''-----BEGIN EC PRIVATE KEY-----''' - tags = ["key", "EC"] +description = "EC" +regex = '''-----BEGIN EC PRIVATE KEY-----''' +tags = ["key", "EC"] [[rules]] - description = "Google API key" - regex = '''AIza[0-9A-Za-z\\-_]{35}''' - tags = ["key", "Google"] +description = "Google API key" +regex = '''AIza[0-9A-Za-z\\-_]{35}''' +tags = ["key", "Google"] [[rules]] - description = "Heroku API key" - regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]''' - tags = ["key", "Heroku"] +description = "Heroku API key" +regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]''' +tags = ["key", "Heroku"] [[rules]] - description = "MailChimp API key" - regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''' - tags = ["key", "Mailchimp"] +description = "MailChimp API key" +regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''' +tags = ["key", "Mailchimp"] [[rules]] - description = "Mailgun API key" - regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]''' - tags = ["key", "Mailgun"] +description = "Mailgun API key" +regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]''' +tags = ["key", "Mailgun"] [[rules]] - description = "PayPal Braintree access token" - regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}''' - tags = ["key", "Paypal"] +description = "PayPal Braintree access token" +regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}''' +tags = ["key", "Paypal"] [[rules]] - description = "Picatic API key" - regex = '''sk_live_[0-9a-z]{32}''' - tags = ["key", "Picatic"] +description = "Picatic API key" +regex = '''sk_live_[0-9a-z]{32}''' +tags = ["key", "Picatic"] [[rules]] - description = "Slack Webhook" - regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}''' - tags = ["key", "slack"] +description = "Slack Webhook" +regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}''' +tags = ["key", "slack"] [[rules]] - description = "Stripe API key" - regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}''' - tags = ["key", "Stripe"] +description = "Stripe API key" +regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}''' +tags = ["key", "Stripe"] [[rules]] - description = "Square access token" - regex = '''sq0atp-[0-9A-Za-z\-_]{22}''' - tags = ["key", "square"] +description = "Square access token" +regex = '''sq0atp-[0-9A-Za-z\-_]{22}''' +tags = ["key", "square"] [[rules]] - description = "Square OAuth secret" - regex = '''sq0csp-[0-9A-Za-z\\-_]{43}''' - tags = ["key", "square"] +description = "Square OAuth secret" +regex = '''sq0csp-[0-9A-Za-z\\-_]{43}''' +tags = ["key", "square"] [[rules]] - description = "Twilio API key" - regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]''' - tags = ["key", "twilio"] +description = "Twilio API key" +regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]''' +tags = ["key", "twilio"] [[rules]] - description = "Env Var" - regex = '''(?i)(apikey|secret|key|api|password|pass|pw|host)=[0-9a-zA-Z-_.{}]{4,120}''' +description = "Env Var" +regex = '''(?i)(apikey|secret|key|api|password|pass|pw|host)=[0-9a-zA-Z-_.{}]{4,120}''' [[rules]] - description = "Port" - regex = '''(?i)port(.{0,4})?[0-9]{1,10}''' - [rules.allowlist] - regexes = ['''(?i)port '''] - description = "ignore export " - +description = "Port" +regex = '''(?i)port(.{0,4})?[0-9]{1,10}''' +[rules.allowlist] +regexes = ['''(?i)port '''] +description = "ignore export " [[rules]] - description = "Email" - regex = '''[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}''' - tags = ["email"] - [rules.allowlist] - files = ['''(?i)bashrc'''] - regexes = [ - '''(semverbot@github.com)''' - ] - description = "ignore bashrc emails" +description = "Email" +regex = '''[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}''' +tags = ["email"] +[rules.allowlist] +files = ['''(?i)bashrc'''] +regexes = ['''(semverbot@github.com)'''] +description = "ignore bashrc emails" [[rules]] - description = "Generic Credential" - regex = '''(?i)(dbpasswd|dbuser|dbname|dbhost|api_key|apikey|secret|key|api|password|user|guid|hostname|pw|auth)(.{0,20})?['|"]([0-9a-zA-Z-_\/+!{}/=]{4,120})['|"]''' - tags = ["key", "API", "generic"] - # ignore leaks with specific identifiers like slack and aws - [rules.allowlist] - description = "ignore slack, mailchimp, aws" - regexes = [ - '''xox[baprs]-([0-9a-zA-Z]{10,48})''', - '''(?i)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''', - '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''' - ] +description = "Generic Credential" +regex = '''(?i)(dbpasswd|dbuser|dbname|dbhost|api_key|apikey|secret|key|api|password|user|guid|hostname|pw|auth)(.{0,20})?['|"]([0-9a-zA-Z-_\/+!{}/=]{4,120})['|"]''' +tags = ["key", "API", "generic"] +# ignore leaks with specific identifiers like slack and aws +[rules.allowlist] +description = "ignore slack, mailchimp, aws" +regexes = [ + '''xox[baprs]-([0-9a-zA-Z]{10,48})''', + '''(?i)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''', + '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''', +] # Generates of noise # [[rules]] # description = "High Entropy" @@ -175,18 +172,18 @@ title = "gitleaks config" # paths = ['''(.*)?ssh'''] [[rules]] - description = "Potential bash var" - regex='''(?i)(=)([0-9a-zA-Z-_!{}=]{4,120})''' - tags = ["key", "bash", "API", "generic"] - [[rules.Entropies]] - Min = "3.5" - Max = "4.5" - Group = "1" +description = "Potential bash var" +regex = '''(?i)(=)([0-9a-zA-Z-_!{}=]{4,120})''' +tags = ["key", "bash", "API", "generic"] +[[rules.Entropies]] +Min = "3.5" +Max = "4.5" +Group = "1" [[rules]] - description = "WP-Config" - regex='''define(.{0,20})?(DB_CHARSET|NONCE_SALT|LOGGED_IN_SALT|AUTH_SALT|NONCE_KEY|DB_HOST|DB_PASSWORD|AUTH_KEY|SECURE_AUTH_KEY|LOGGED_IN_KEY|DB_NAME|DB_USER)(.{0,20})?['|"].{10,120}['|"]''' - tags = ["key", "API", "generic"] +description = "WP-Config" +regex = '''define(.{0,20})?(DB_CHARSET|NONCE_SALT|LOGGED_IN_SALT|AUTH_SALT|NONCE_KEY|DB_HOST|DB_PASSWORD|AUTH_KEY|SECURE_AUTH_KEY|LOGGED_IN_KEY|DB_NAME|DB_USER)(.{0,20})?['|"].{10,120}['|"]''' +tags = ["key", "API", "generic"] # [[rules]] # description = "Files with keys and credentials" @@ -195,10 +192,10 @@ title = "gitleaks config" # Global allowlist [allowlist] description = "Allowlisted files" - files = ['''(.*?)(jpg|gif|doc|pdf|bin)$'''] - paths = [ - '''gitleaks\.toml''', - '''.devcontainer/''', # setup scripts for devcontainer/codespace - '''.pre-commit-config.yaml$''', - '''(go.mod|go.sum)$''', - ] \ No newline at end of file +files = ['''(.*?)(jpg|gif|doc|pdf|bin)$'''] +paths = [ + '''gitleaks\.toml''', + '''.devcontainer/''', # setup scripts for devcontainer/codespace + '''.pre-commit-config.yaml$''', + '''(go.mod|go.sum)$''', +] diff --git a/.markdownlint.yaml b/.markdownlint.yaml index e3156a3..1133fbb 100644 --- a/.markdownlint.yaml +++ b/.markdownlint.yaml @@ -44,7 +44,8 @@ MD025: true # Try applying semantic line break concept for breaking up longer phrases # https://sembr.org/ MD013: - line_length: 120 + false + # line_length: 150 # MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content # This tweaks to allow nested items to have duplicate headers. @@ -53,3 +54,6 @@ MD024: allow_different_nesting: true # Only check sibling headings siblings_only: true + +# allow embedded html +MD033: false diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e07b79b..556c7eb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -32,7 +32,15 @@ repos: - name: detect-secrets id: detect-secrets stages: [commit] - args: [--disable-plugin, KeywordDetector, --exclude-files, .gitleaks.toml, --exclude-files, .trunk/trunk.yaml] + args: + [ + --disable-plugin, + KeywordDetector, + --exclude-files, + .gitleaks.toml, + --exclude-files, + .trunk/trunk.yaml, + ] - repo: https://github.com/adrienverge/yamllint.git rev: v1.27.1 # or higher tag hooks: @@ -66,7 +74,8 @@ repos: - repo: https://gitlab.com/bmares/check-json5 rev: v1.0.0 hooks: - - id: check-json5 + - id: + check-json5 # stages: ['commit'] - repo: local hooks: diff --git a/.prettierrc.yaml b/.prettierrc.yaml index 060543f..7b1894d 100644 --- a/.prettierrc.yaml +++ b/.prettierrc.yaml @@ -1,5 +1,2 @@ --- singleQuote: true -editionconfig: true -options: - editorconfig: true diff --git a/.trunk/actions b/.trunk/actions index 6ac8897..279dbec 120000 --- a/.trunk/actions +++ b/.trunk/actions @@ -1 +1 @@ -/Users/sheldonhull/.cache/trunk/repos/a4acd17857bd5d4b0d7cc2c8caa22290/actions \ No newline at end of file +/home/codespace/.cache/trunk/repos/d04a383d1909a139617b5284ddf891a9/actions \ No newline at end of file diff --git a/.trunk/notifications b/.trunk/notifications index 6203342..13309e8 120000 --- a/.trunk/notifications +++ b/.trunk/notifications @@ -1 +1 @@ -/Users/sheldonhull/.cache/trunk/repos/a4acd17857bd5d4b0d7cc2c8caa22290/notifications \ No newline at end of file +/home/codespace/.cache/trunk/repos/d04a383d1909a139617b5284ddf891a9/notifications \ No newline at end of file diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index dd47f40..074f36b 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -41,7 +41,7 @@ runtimes: - name: GOROOT value: ${runtime} - name: GO111MODULE - value: on + value: on # trunk-ignore(yamllint/truthy) - name: CGO_ENABLED value: 1 enabled: [go@1.19, node@16.14.2, python@3.10.3] @@ -83,3 +83,6 @@ lint: - b/test_data/** - vendor/* - .changes/* + - 'charts/*/templates/*' + # - linters: [prettier, yamllint] + # paths: diff --git a/.vscode/settings.json b/.vscode/settings.json index 8e5250c..1c076a2 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -10,7 +10,7 @@ "source.organizeImports": false }, "editor.defaultFormatter": "golang.go", - "editor.formatOnSave": true, + "editor.formatOnSave": true }, "go.coverageOptions": "showUncoveredCodeOnly", // "go.coverOnSave": true, @@ -29,11 +29,7 @@ "GOTESTS_TEMPLATE": "test", "IS_NO_COLOR": true }, - "go.testFlags": [ - "-v", - "-race", - "-shuffle=on", - ], + "go.testFlags": ["-v", "-race", "-shuffle=on"], "go.testTags": "integration", "go.toolsManagement.autoUpdate": true, "go.useLanguageServer": true, diff --git a/.yamllint.yaml b/.yamllint.yaml index 35ac5d8..9be16ab 100644 --- a/.yamllint.yaml +++ b/.yamllint.yaml @@ -1,5 +1,12 @@ --- extends: default +# For all rules +ignore: | + .markdownlint-cli2.yaml + .licenses/ + docs/godocs/ + templates/ + charts/ rules: line-length: disable document-start: disable @@ -13,9 +20,3 @@ rules: truthy: allowed-values: ['true', 'false'] check-keys: false - -# For all rules -ignore: | - .markdownlint-cli2.yaml - .licenses/ - docs/godocs/ diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e3725d..fc86a26 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html), and is generated by [Changie](https://github.com/miniscruff/changie). - ## [v1.1.2] (2022-10-10) ### Added @@ -63,7 +62,7 @@ and is generated by [Changie](https://github.com/miniscruff/changie). - Merge pull request #4 from DelineaXPM/fix-3 (2022-06-28) - Merge pull request #1 from DelineaXPM/delineaKrehl-DeepRebrand (2022-06-02) - Fix for #13 that improves injector error handling. (#14) (2022-05-20) -] + ] ## [v1.1.1] (2022-10-10) diff --git a/DEVELOPER.md b/DEVELOPER.md index 5e61b69..03b1b1a 100644 --- a/DEVELOPER.md +++ b/DEVELOPER.md @@ -23,7 +23,7 @@ ## I'm starting from scratch -> ***NOTE*** +> **_NOTE_** > Docker is left out of these directions, just install that from [Docker Desktop](https://www.docker.com/products/docker-desktop/) site. ### Windows @@ -53,7 +53,7 @@ Run `code --install-extension ms-vscode-remote.remote-containers` ## Spin It Up -> ***NOTE*** +> **_NOTE_** > > ๐ŸŽ PERFORMANCE TIP: Using the directions provided for named container volume will optimize performance over trying to just "open in container" as there is no mounting files to your local filesystem. @@ -62,7 +62,7 @@ Use command pallet with vscode (Control+Shift+P or F1) and type to find the comm - Put the git clone url in, for example: `https://github.com/DelineaXPM/dsv-k8s.git` - Name the volume and directory both dsv-k8s or whatever you prefer. -> ***NOTE*** +> **_NOTE_** > This is a large development image (10GB). The first time you run this it will take a while. However, after this first run, rebuilding the container to start over should be minimal time, as you'll have the majority of Docker image cached locally. This includes (for updated info just look at dockerfile): @@ -81,15 +81,15 @@ This includes (for updated info just look at dockerfile): 1. Accept "Install Recommended Extensions" from popup, to automatically get all the preset tools, such as Kubernetes, Go and others setup. 1. Open a new `zsh-login` terminal and allow the automatic setup to finish, as this will ensure all other required tools are setup. - - Make sure to run `direnv allow` as it prompts you, to ensure all project and your personal environment variables (optional). + - Make sure to run `direnv allow` as it prompts you, to ensure all project and your personal environment variables (optional). 1. Make sure Go 1.19 is the correct version running with `go version`. 1. If it's not, run `sudo .devcontainer/library-scripts/go-debian.sh "1.19"` -2. Run setup task: - - Using CLI: Run `mage init` +1. Run setup task: + - Using CLI: Run `mage init` ## Working With Kind & Stack Locally -> ***NOTE*** +> **_NOTE_** > For any tasks get more help with `-h`, for example, run `mage -h k8s:init` ### Kind @@ -115,7 +115,7 @@ The ports internally aren't the same as externally in your host OS. If the port forward isn't discovered automatically, enable it yourself, by using the port forward tab (next to the terminal tab). 1. You should see a port forward once the services are up (next to the terminal button in the bottom pane). - 1. If the click to open url doesn't work, try accessing the path manually, and ensure it is `https`. - Example: `https://127.0.0.1:9999` + 1. If the click to open url doesn't work, try accessing the path manually, and ensure it is `https`. + Example: `https://127.0.0.1:9999` You can choose the external port to access, or even click on it in the tab and it will open in your host for you. diff --git a/README.md b/README.md index 29ba876..a2b9ff6 100644 --- a/README.md +++ b/README.md @@ -1,24 +1,28 @@ # Delinea DevOps Secrets Vault Kubernetes Secret Injector and Syncer + -[![All Contributors](https://img.shields.io/badge/all_contributors-1-orange.svg?style=flat-square)](#contributors-) + +[![All Contributors](https://img.shields.io/badge/all_contributors-7-orange.svg?style=flat-square)](#contributors) + -[![Tests](https://github.com/DelineaXPM/dsv-k8s/actions/workflows/tests.yml/badge.svg)](https://github.com/DelineaXPM/dsv-k8s/actions/workflows/tests.yml) [![Docker](https://github.com/DelineaXPM/dsv-k8s/actions/workflows/docker.yml/badge.svg)](https://github.com/DelineaXPM/dsv-k8s/actions/workflows/docker.yml) [![GitHub](https://github.com/DelineaXPM/dsv-k8s/actions/workflows/github.yml/badge.svg)](https://github.com/DelineaXPM/dsv-k8s/actions/workflows/github.yml) [![Red Hat Quay](https://quay.io/repository/delinea/dsv-k8s/status "Red Hat Quay")](https://quay.io/repository/delinea/dsv-k8s) +[![Tests](https://github.com/DelineaXPM/dsv-k8s/actions/workflows/test.yml/badge.svg)](https://github.com/DelineaXPM/dsv-k8s/actions/workflows/test.yml) + +[![Release](https://github.com/DelineaXPM/dsv-k8s/actions/workflows/release.yml/badge.svg)](https://github.com/DelineaXPM/dsv-k8s/actions/workflows/release.yml) + +[![Red Hat Quay](https://quay.io/repository/delinea/dsv-k8s/status 'Red Hat Quay')](https://quay.io/repository/delinea/dsv-k8s) A [Kubernetes](https://kubernetes.io/) [Mutating Webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) -that injects Secret data from Delinea DevOps Secrets Vault (DSV) into Kubernetes Secrets and a -[CronJob](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/) +that injects Secret data from Delinea DevOps Secrets Vault (DSV) into Kubernetes Secrets and a [CronJob](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/) that subsequently periodically synchronizes them from the source, DSV. The webhook can be hosted as a pod or as a stand-alone service. Likewise, the cronjob can run inside or outside the cluster. - The webhook intercepts `CREATE` Secret admissions and then mutates the Secret with data from DSV. The syncer scans the cluster (or a single namespace) for Secrets that were mutated and, upon finding a mutated secret, it compares the version of the DSV Secret with the version it was mutated with and, if the version in DSV is newer, then the mutation is repeated. - The common configuration consists of one or more Client Credential Tenant mappings. The credentials are then specified in an [Annotation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) on the Kubernetes Secret to be mutated. @@ -26,35 +30,43 @@ See [below](#use). The webhook and syncer use the [Golang SDK](https://github.com/DelineaXPM/dsv-sdk-go) to communicate with the DSV API. - They were tested with [Docker Desktop](https://www.docker.com/products/docker-desktop/) and [Minikube](https://minikube.sigs.k8s.io/). They also work on [OpenShift](https://www.redhat.com/en/technologies/cloud-computing/openshift), [Microk8s](https://microk8s.io/) and others. -## Injector and Syncer Differences +## Injector & Syncer Differences -- Injector: This is a mutating webhook using AdmissionController. This means it operates on the `CREATE` of a Secret, and ensures it modified before finishing the creation of the resource in Kubernetes. This only runs on the creation action triggered by the server. -- Syncer: In contrast, the syncer is a normal cronjob operating on a schedule, checking for any variance in the data between the Secret data between the resource in Kubernetes and the expected value from DSV. +- Injector: This is a mutating webhook using AdmissionController. + This means it operates on the `CREATE` of a Secret, and ensures it modified before finishing the creation of the resource in Kubernetes. + This only runs on the creation action triggered by the server. +- Syncer: In contrast, the syncer is a normal cronjob operating on a schedule, checking for any variance in the data + between the Secret data between the resource in Kubernetes and the expected value from DSV. ## Which Should I Use? - Both: If you want a secret to be injected on creation and also synced on your cron schedule then use the Injector and Syncer. -- Injector: If you want the secret to be static despite the change upstream in DSV, and will recreate the secret on any need to upgrade, then the injector. This will reduce the API calls to DSV as well. -- Syncer: If you want the secret value to be updated within the targeted schedule automatically. If this is run by itself without the injector, there can be a lag of up to a minute before the syncer will update the secret. Your application should be able to handle retrying the load of the credential to avoid using the cached credential value that might have been loaded on app start-up in this case. +- Injector: If you want the secret to be static despite the change upstream in DSV, and will recreate the secret on any need to upgrade, then the injector. + This will reduce the API calls to DSV as well. +- Syncer: If you want the secret value to be updated within the targeted schedule automatically. + If this is run by itself without the injector, there can be a lag of up to a minute before the syncer will update the secret. + Your application should be able to handle retrying the load of the credential to avoid using the cached credential value that might have been loaded on app start-up in this case. ## Local Development Tooling - Make: Makefiles provide core automation. -- Mage: Mage is a Go based automation alternative to Make and provides newer functionality for local Kind cluster setup, Go development tooling/linting, and more. Requires Go 17+ and is easily installed via: `go install github.com/magefile/mage@latest`. Run `mage -l` to list all available tasks, and `mage init` to setup developer tooling. +- Mage: Mage is a Go based automation alternative to Make and provides newer functionality for local Kind cluster setup, Go development tooling/linting, and more. + Requires Go 17+ and is easily installed via: `go install github.com/magefile/mage@latest`. + Run `mage -l` to list all available tasks, and `mage init` to setup developer tooling. - Pre-Commit: Requires Python3. Included in project, this allows linting and formatting automation before committing, improving the feedback loop. - Optional: - - Devcontainer configuration included for VSCode to work with Devcontainers and Codespaces in a pre-built development environment that works on all platforms, and includes nested Docker + ability to run Kind kubernetes clusters without any installing any of those on the Host OS. - - Direnv: Default test values are loaded on macOS/Linux based system using [direnv](https://direnv.net/docs/installation.html). - Run `direnv allow` in the directory to load default env configuration for testing. - - macOS/Linux: [Trunk.io](https://trunk.io/) to provide linting and formatting on the project. Included in recommended extensions. - - `trunk install`, `trunk check`, and `trunk fmt` simplifies running checks. + - Devcontainer configuration included for VSCode to work with Devcontainers and Codespaces in a pre-built development environment that works on all platforms, and includes nested Docker and ability to run Kind kubernetes clusters without any installing any of those on the Host OS. +- Direnv: Default test values are loaded on macOS/Linux based system using [direnv](https://direnv.net/docs/installation.html). + Run `direnv allow` in the directory to load default env configuration for testing. +- macOS/Linux: [Trunk.io](https://trunk.io/) to provide linting and formatting on the project. + Included in recommended extensions. +- `trunk install`, `trunk check`, and `trunk fmt` simplifies running checks. ## List of Mage Tasks @@ -84,7 +96,7 @@ The configuration requires a JSON formatted list of Client Credential and Tenant } ``` -> ***note*** +> **_note_** > the injector uses the _default_ credentials when mutating a Kubernetes Secret without a _credentialAnnotation_. > See [below](#use) @@ -110,7 +122,6 @@ Usage of ./dsv-injector: Thus the injector can run "anywhere," but, typically, the injector runs as a POD in the Kubernetes cluster that uses it. - The syncer is a simple Golang executable. It typically runs as a Kubernetes CronJob, but it will run outside the cluster. @@ -127,11 +138,10 @@ Usage of ./dsv-syncer: ### Build -> ***note*** +> **_note_** > Building the `dsv-injector` image is not required to install it as it is. > It is available on multiple public registries. - -Building the image requires [Docker](https://www.docker.com/) or [Podman](https://podman.io/) and [GNU Make](https://www.gnu.org/software/make/). +> Building the image requires [Docker](https://www.docker.com/) or [Podman](https://podman.io/) and [GNU Make](https://www.gnu.org/software/make/). To build it, run: `make`. @@ -142,33 +152,32 @@ It will also build the image (which will build and store its own copy of the bin The tests expect a few environmental conditions to be met. -> ***note*** +> **_note_** > For more detailed setup see collapsed section below for DSV Test Configuration Setup. - A valid DSV tenant. - A secret created with the data format below: - { - "data": { - "password": "admin", - "username": "admin" - }, - "version": "0" - } + { + "data": { + "password": "admin", + "username": "admin" + }, + "version": "0" + } - A `configs/credentials.json` to be created manually that contains the client credentials. - The `configs/credentials.json` credential to be structured like this: - { - "app1": { - "credentials": { - "clientId": "", - "clientSecret": "" - }, - "tenant": "app1" - } - } + { + "app1": { + "credentials": { + "clientId": "", + "clientSecret": "" + }, + "tenant": "app1" + } + } -> ***warning*** -> `app1` is required and using any other will fail test conditions. +> **_warning_** > `app1` is required and using any other will fail test conditions.
๐Ÿงช DSV Test Configuration Setup @@ -190,7 +199,6 @@ make test ``` Set `$(GO_TEST_FLAGS)` to `-v` to get DEBUG output. - They require a `credentials.json` as either a file or a string. They also require the path to a secret to test to use. Use environment variables to specify both: @@ -228,10 +236,8 @@ gotestsum --format dots-v2 --watch ./... -- -v Installation requires [Helm](https://helm.sh). There are two separate charts for the injector and the syncer. The `Makefile` demonstrates a typical installation of both. - The dsv-injector chart imports `credentials.json` from the filesystem and stores it in a Kubernetes Secret. The dsv-syncer chart refers to that Secret instead of creating its own. - The Helm `values.yaml` file `image.repository` is `quay.io/delinea/dsv-k8s`: ```yaml @@ -239,7 +245,7 @@ image: repository: quay.io/delinea/dsv-k8s pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "" +tag: '' ``` That means, by default, `make install` will pull from Red Hat Quay. @@ -342,7 +348,7 @@ For it to work: By default that's `dsv-injector.dsv.svc`. - The `$(EXTERNAL_NAME)` is a required argument, and the name itself must be resolvable _inside_ the cluster. -__localhost will not work__. + **localhost will not work**. If the `$(CA_BUNDLE)` is argument is omitted, `make` will attempt to extract it from `kubectl config`: @@ -361,7 +367,6 @@ kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authori Optionally set `$(CA_BUNDLE_KUBE_CONFIG_INDEX)` to use `1`, to use the second cluster in your configuration, `2` for the third and so on. - โ„น๏ธ All this assumes that the injector uses a certificate signed by the cluster CA. There are several options like [cert-manager](https://cert-manager.io/) for getting cluster-signed certs, however, @@ -384,7 +389,6 @@ Now run it: Once the injector is available in the Kubernetes cluster, and the webhook is in place, any correctly annotated Kubernetes Secrets are modified on create and update. - The four annotations that affect the behavior of the webhook are: ```golang @@ -399,17 +403,16 @@ const( `credentialsAnnotation` selects the credentials that the injector uses to retrieve the DSV Secret. If the credentials are present, it must map to Client Credential and Tenant mapping. The injector will use the _default_ Credential and Tenant mapping unless the `credentialsAnnotation` is declared. - The `setAnnotation`, `addAnnotation` and `updateAnnotation`, must contain the path to the DSV Secret that the injector will use to mutate the Kubernetes Secret. - `addAnnotation` adds missing fields without overwriting or removing existing fields. - `updateAnnotation` adds and overwrites existing fields but does not remove fields. - `setAnnotation` overwrites fields and removes fields that do not exist in the DSV Secret. - -NOTE: A Kubernetes Secret should specify only one of the "add," "update," -or "set" annotations. The order of precedence is `setAnnotation`, -then `addAnnotation`, then `updateAnnotation` when multiple are present. + NOTE: A Kubernetes Secret should specify only one of the "add," "update," + or "set" annotations. + The order of precedence is `setAnnotation`, + then `addAnnotation`, then `updateAnnotation` when multiple are present. ### Examples @@ -436,7 +439,6 @@ so the data in the injector will overwrite the existing contents of the Kubernet if `/test/secret` contains a `username` and `password` but no `domain`, then the Kubernetes Secret would get the `username` and `password` from the DSV Secret Data but, the injector will remove the `domain` field. - There are more examples in the `examples` directory. They show how the different annotations work. @@ -445,50 +447,82 @@ They show how the different annotations work. Use Stern to easily stream cross namespace logs with the `dsv-filter-selector` by running: - To grab Stern binary, you can run `$(curl -fSSl https://github.com/wercker/stern/releases/download/1.11.0/stern_linux_amd64 -o ./stern) && sudo chmod +x ./stern && sudo mv ./stern /usr/local/bin`. (Modify version as you need) -- For all pods in the namespace run `stern --kubeconfig .cache/config --namespace dsv --timestamps .` -- For pods with the selector run `stern --kubeconfig .cache/config --namespace dsv --timestamps --selector 'dsv-filter-name in (dsv-syncer, dsv-injector)'` +- For all pods in the namespace run `stern --kubeconfig .cache/config --namespace dsv --timestamps .` +- For pods with the selector run `stern --kubeconfig .cache/config --namespace dsv --timestamps --selector 'dsv-filter-name in (dsv-syncer, dsv-injector)'` ## Reference Mage Tasks > Manually updated, for most recent Mage tasks, run `mage -l`. -| Target | Description | -| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | -| clean | up after yourself. | -| gittools:init | โš™๏ธ Init runs all required steps to use this package. | -| go:doctor | ๐Ÿฅ Doctor will provide config details. | -| go:fix | ๐Ÿ”Ž Run golangci-lint and apply any auto-fix. | -| go:fmt | โœจ Fmt runs gofumpt. | -| go:init | โš™๏ธ Init runs all required steps to use this package. | -| go:lint | ๐Ÿ”Ž Run golangci-lint without fixing. | -| go:lintConfig | ๐Ÿฅ LintConfig will return output of golangci-lint config. | -| go:test | ๐Ÿงช Run go test. | -| go:testSum | ๐Ÿงช Run gotestsum (Params: Path just like you pass to go test, ie ./..., pkg/, etc ). | -| go:tidy | ๐Ÿงน Tidy tidies. | -| go:wrap | โœจ Wrap runs golines powered by gofumpt. | -| helm:docs | generates helm documentation using `helm-doc` tool. | -| helm:init | โš™๏ธ Init sets up the required files to allow for local editing/overriding from CacheDirectory. | -| helm:install | ๐Ÿš€ Install uses Helm to install the chart. | -| helm:lint | ๐Ÿ” Lint uses Helm to lint the chart for issues. | -| helm:render | ๐Ÿ’พ Render uses Helm to output rendered yaml for testing helm integration. | -| helm:uninstall | ๐Ÿš€ Uninstall uses Helm to uninstall the chart. | -| init | runs multiple tasks to initialize all the requirements for running a project for a new contributor. | -| job:redeploy | removes kubernetes resources and helm charts and then redeploys with log streaming by default. | -| job:setup | initializes all the required steps for the cluster creation, initial helm chart copies, and kubeconfig copies. | -| k8s:apply | applies a kubernetes manifest. | -| k8s:delete | Apply applies a kubernetes manifest. | -| k8s:init | copies the k8 yaml manifest files from the examples directory to the cache directory for editing and linking in integration testing. | -| k8s:logs | streams logs until canceled for the dsv syncing jobs, based on the label `dsv.delinea.com: syncer`. | -| kind:destroy | ๐Ÿ—‘๏ธ Destroy tears down the Kind cluster. | -| kind:init | โž• Create creates a new Kind cluster and populates a kubeconfig in cachedirectory. | -| precommit:commit | ๐Ÿงช Commit runs pre-commit checks using pre-commit. | -| precommit:init | โš™๏ธ Init configures precommit hooks. | -| precommit:prepush | ๐Ÿงช Push runs pre-push checks using pre-commit. | -| precommit:uninstall | โœ– Uninstall removes the pre-commit hooks. | -| secrets:detect | ๐Ÿ” Detect scans for secret violations with gitleaks without git consideration. | -| secrets:protect | ๐Ÿ” Protect scans the staged artifacts for violations. | - -## Contributors โœจ +| Target | Description | +| ------ | ------------------ | +| clean | up after yourself. | + +| +| gittools:init | โš™๏ธ Init runs all required steps to use this package. +| +| go:doctor | ๐Ÿฅ Doctor will provide config details. +| +| go:fix | ๐Ÿ”Ž Run golangci-lint and apply any auto-fix. +| +| go:fmt | โœจ Fmt runs gofumpt. +| +| go:init | โš™๏ธ Init runs all required steps to use this package. +| +| go:lint | ๐Ÿ”Ž Run golangci-lint without fixing. +| +| go:lintConfig | ๐Ÿฅ LintConfig will return output of golangci-lint config. +| +| go:test | ๐Ÿงช Run go test. +| +| go:testSum | ๐Ÿงช Run gotestsum (Params: Path just like you pass to go test, ie ./..., pkg/, etc ). | +| go:tidy | ๐Ÿงน Tidy tidies. +| +| go:wrap | โœจ Wrap runs golines powered by gofumpt. +| +| helm:docs | generates helm documentation using `helm-doc` tool. +| +| helm:init | โš™๏ธ Init sets up the required files to allow for local editing/overriding from CacheDirectory. +| +| helm:install | ๐Ÿš€ Install uses Helm to install the chart. +| +| helm:lint | ๐Ÿ” Lint uses Helm to lint the chart for issues. +| +| helm:render | ๐Ÿ’พ Render uses Helm to output rendered yaml for testing helm integration. +| +| helm:uninstall | ๐Ÿš€ Uninstall uses Helm to uninstall the chart. +| +| init | runs multiple tasks to initialize all the requirements for running a project for a new contributor. +| +| job:redeploy | removes kubernetes resources and helm charts and then redeploys with log streaming by default. +| +| job:setup | initializes all the required steps for the cluster creation, initial helm chart copies, and kubeconfig copies. +| +| k8s:apply | applies a kubernetes manifest. +| +| k8s:delete | Apply applies a kubernetes manifest. +| +| k8s:init | copies the k8 yaml manifest files from the examples directory to the cache directory for editing and linking in integration testing. +| +| k8s:logs | streams logs until canceled for the dsv syncing jobs, based on the label `dsv.delinea.com: syncer`. | +| kind:destroy | ๐Ÿ—‘๏ธ Destroy tears down the Kind cluster. +| +| kind:init | โž• Create creates a new Kind cluster and populates a kubeconfig in cachedirectory. +| +| precommit:commit | ๐Ÿงช Commit runs pre-commit checks using pre-commit. +| +| precommit:init | โš™๏ธ Init configures precommit hooks. +| +| precommit:prepush | ๐Ÿงช Push runs pre-push checks using pre-commit. +| +| precommit:uninstall | โœ– Uninstall removes the pre-commit hooks. +| +| secrets:detect | ๐Ÿ” Detect scans for secret violations with gitleaks without git consideration. +| +| secrets:protect | ๐Ÿ” Protect scans the staged artifacts for violations. +| + +## Contributors Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)): @@ -498,7 +532,8 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d - + @@ -514,4 +549,5 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d -This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome! +This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. +Contributions of any kind welcome! diff --git a/charts/dsv-injector/README.md b/charts/dsv-injector/README.md index fe14be3..c1ed433 100644 --- a/charts/dsv-injector/README.md +++ b/charts/dsv-injector/README.md @@ -6,31 +6,30 @@ A Helm chart for the Delinea DevOps Secrets Vault (DSV) Injector Mutating Webhoo ## Maintainers -| Name | Email | Url | -| ---- | ------ | --- | -| Sheldon Hull | | | -| Delinea DSV Team | | | +| Name | Email | Url | +| ---------------- | ----- | --- | +| Sheldon Hull | | | +| Delinea DSV Team | | | ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| containerPort | int | `18543` | containerPort is the port that the container itself listens on | -| credentialsJson | string | `"{\n \"default\": {\n \"credentials\": {\n \"clientId\": \"\",\n \"clientSecret\": \"\"\n },\n \"tenant\": \"example\"\n }\n}"` | credentialsJson contains the JSON-formatted credentials file (see README.md) @default - placeholder. *REQUIRED FIELD* | -| fullnameOverride | string | `""` | | -| image.pullPolicy | string | `"Always"` | | -| image.repository | string | `"quay.io/delinea/dsv-k8s"` | | -| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | -| imagePullSecrets | list | `[]` | | -| nameOverride | string | `""` | | -| podAnnotations | object | `{}` | podAnnotations @default - Includes `dsv-filter-name` for easier log selector filter. | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | replicate count @default - 1 | -| resources | object | No default values, user must specify to set resource limits. | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. | -| securityContext | object | `{}` | | -| service.port | int | `8543` | Default port for the injector webhook service. @default -- port 8543 | -| service.type | string | `"ClusterIP"` | ClusterIP is typical when the webhook is running as a POD However, it can also be hosted externally, which is useful for debugging, by providing the following instead: type: ExternalName externalName: my.fqdn So long as: - my.fqdn hosts an HTTPS endpoint on port {webhookPort} that answers URI {webhookUri} - the certificate must have a Subject Alternative Name for {name}.{namespace}.{svc}, e.g., dsv-injector.dsv.svc - the caBundle must be a base64 string containing a PEM-encoded certificate chain that validates the certifcate caBundle: ... | -| webhookPort | int | 8543 | webhookPort is the port that the webhook endpoint is listening on | -| webhookScope | string | "Namespaced" | webhookScope specifies which resources are in scope, "Cluster", "Namespaced" or "*" | -| webhookUri | string | `"/inject"` | webhookUri is path portion of the URL of the webhook endpoint | - +| Key | Type | Default | Description | +| ------------------ | ------ | -------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| containerPort | int | `18543` | containerPort is the port that the container itself listens on | +| credentialsJson | string | `"{\n \"default\": {\n \"credentials\": {\n \"clientId\": \"\",\n \"clientSecret\": \"\"\n },\n \"tenant\": \"example\"\n }\n}"` | credentialsJson contains the JSON-formatted credentials file (see README.md) @default - placeholder. _REQUIRED FIELD_ | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"Always"` | | +| image.repository | string | `"quay.io/delinea/dsv-k8s"` | | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| imagePullSecrets | list | `[]` | | +| nameOverride | string | `""` | | +| podAnnotations | object | `{}` | podAnnotations @default - Includes `dsv-filter-name` for easier log selector filter. | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | replicate count @default - 1 | +| resources | object | No default values, user must specify to set resource limits. | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. | +| securityContext | object | `{}` | | +| service.port | int | `8543` | Default port for the injector webhook service. @default -- port 8543 | +| service.type | string | `"ClusterIP"` | ClusterIP is typical when the webhook is running as a POD However, it can also be hosted externally, which is useful for debugging, by providing the following instead: type: ExternalName externalName: my.fqdn So long as: - my.fqdn hosts an HTTPS endpoint on port {webhookPort} that answers URI {webhookUri} - the certificate must have a Subject Alternative Name for {name}.{namespace}.{svc}, e.g., dsv-injector.dsv.svc - the caBundle must be a base64 string containing a PEM-encoded certificate chain that validates the certifcate caBundle: ... | +| webhookPort | int | 8543 | webhookPort is the port that the webhook endpoint is listening on | +| webhookScope | string | "Namespaced" | webhookScope specifies which resources are in scope, "Cluster", "Namespaced" or "\*" | +| webhookUri | string | `"/inject"` | webhookUri is path portion of the URL of the webhook endpoint | diff --git a/charts/dsv-injector/values.yaml b/charts/dsv-injector/values.yaml index 7442b8f..83ca8f9 100644 --- a/charts/dsv-injector/values.yaml +++ b/charts/dsv-injector/values.yaml @@ -33,10 +33,12 @@ fullnameOverride: '' # @default - Includes `dsv-filter-name` for easier log selector filter. podAnnotations: {} -podSecurityContext: {} +podSecurityContext: + {} # fsGroup: 2000 -securityContext: {} +securityContext: + {} # capabilities: # drop: # - ALL diff --git a/charts/dsv-syncer/README.md b/charts/dsv-syncer/README.md index 72f4928..b014af6 100644 --- a/charts/dsv-syncer/README.md +++ b/charts/dsv-syncer/README.md @@ -6,29 +6,28 @@ A Helm chart for the Delinea DevOps Secrets Vault (DSV) Kubernetes Synchronizer ## Maintainers -| Name | Email | Url | -| ---- | ------ | --- | -| Sheldon Hull | | | -| Delinea DSV Team | | | +| Name | Email | Url | +| ---------------- | ----- | --- | +| Sheldon Hull | | | +| Delinea DSV Team | | | ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| cronJobSchedule | string | `"* * * * *"` | cronJobSchedule controls when the syncer runs; five asterisks means "every minute". See [cronjob](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#cron-schedule-syntax) @default - every minute, ie '* * * * *' | -| dsvInjectorCredentialsSecretName | string | `"dsv-injector-credentials"` | dsvInjectorCredentialsSecretName is the name of thecredentialsJson secret from the dsv-injector | -| fullnameOverride | string | `""` | | -| image.pullPolicy | string | `"Always"` | | -| image.repository | string | `"quay.io/delinea/dsv-k8s"` | | -| image.tag | string | `""` | | -| imagePullSecrets | list | `[]` | | -| nameOverride | string | `""` | | -| podAnnotations | object | `{}` | default annotations to add @default - Adds `dsv-filter-name` to simplify log selector streaming | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | replicaCount @default - 1 | -| resources | object | No default values, user must specify to set resource limits. | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. | -| securityContext | object | `{}` | | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account @default - Adds `dsv-filter-name` to simplify log selector streaming | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created @default - true | -| serviceAccount.name | string | `""` | If not set and create is true, a name is generated using the fullname template | - +| Key | Type | Default | Description | +| -------------------------------- | ------ | ------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| cronJobSchedule | string | `"* * * * *"` | cronJobSchedule controls when the syncer runs; five asterisks means "every minute". See [cronjob](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#cron-schedule-syntax) @default - every minute, ie '\* \* \* \* \*' | +| dsvInjectorCredentialsSecretName | string | `"dsv-injector-credentials"` | dsvInjectorCredentialsSecretName is the name of thecredentialsJson secret from the dsv-injector | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"Always"` | | +| image.repository | string | `"quay.io/delinea/dsv-k8s"` | | +| image.tag | string | `""` | | +| imagePullSecrets | list | `[]` | | +| nameOverride | string | `""` | | +| podAnnotations | object | `{}` | default annotations to add @default - Adds `dsv-filter-name` to simplify log selector streaming | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | replicaCount @default - 1 | +| resources | object | No default values, user must specify to set resource limits. | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. | +| securityContext | object | `{}` | | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account @default - Adds `dsv-filter-name` to simplify log selector streaming | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created @default - true | +| serviceAccount.name | string | `""` | If not set and create is true, a name is generated using the fullname template | diff --git a/charts/dsv-syncer/values.yaml b/charts/dsv-syncer/values.yaml index 6e9ca85..8e333cc 100644 --- a/charts/dsv-syncer/values.yaml +++ b/charts/dsv-syncer/values.yaml @@ -33,10 +33,12 @@ serviceAccount: # @default - Adds `dsv-filter-name` to simplify log selector streaming podAnnotations: {} -podSecurityContext: {} +podSecurityContext: + {} # fsGroup: 2000 -securityContext: {} +securityContext: + {} # capabilities: # drop: # - ALL @@ -49,7 +51,8 @@ securityContext: {} # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # @default -- No default values, user must specify to set resource limits. -resources: {} +resources: + {} # limits: # cpu: 100m # memory: 128Mi diff --git a/renovate.json b/renovate.json index 8d45c06..97184c8 100644 --- a/renovate.json +++ b/renovate.json @@ -1,6 +1,4 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": [ - "DelineaXPM/renovate-config" - ] -} \ No newline at end of file + "extends": ["DelineaXPM/renovate-config"] +}

Adam C. Migus

๐Ÿ’ป ๐Ÿ“– โš ๏ธ

Adam C. +Migus

๐Ÿ’ป ๐Ÿ“– โš ๏ธ

sheldonhull

๐Ÿ’ป ๐Ÿ“– โš ๏ธ

Hans Boder

๐Ÿ›

tylerezimmerman

๐Ÿšง