Merge branch 'SparebankenVest:master' into custom_resync_periods

Author: wimi

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/controller-build.yaml

@@ -26,7 +26,7 @@ jobs:
     - name: Setup Golang
       uses: actions/setup-go@v1
       with:
-        go-version: '1.13.4'
+        go-version: '1.18.1'
 
     - name: Build
       uses: ./.github/actions/build

.github/workflows/pull-request.yaml

@@ -21,10 +21,10 @@ jobs:
     - name: Setup Golang
       uses: actions/setup-go@v1
       with:
-        go-version: '1.13.4'
+        go-version: '1.18.1'
 
     - name: Test
       run: make test
 
     - name: Build docker images
-      run: make build
+      run: make build

.github/workflows/vaultenv-build.yaml

@@ -26,7 +26,7 @@ jobs:
     - name: Setup Golang
       uses: actions/setup-go@v1
       with:
-        go-version: '1.13.4'
+        go-version: '1.18.1'
 
     - name: Build
       uses: ./.github/actions/build

.github/workflows/webhook-build.yaml

@@ -26,7 +26,7 @@ jobs:
     - name: Setup Golang
       uses: actions/setup-go@v1
       with:
-        go-version: '1.13.4'
+        go-version: '1.18.1'
 
     - name: Build
       uses: ./.github/actions/build

.gitignore

@@ -1,9 +1,10 @@
 bin
 debug.test
 .vscode
+.idea
 /vendor/
 /tmp/
 /.tools/
 *.tmp
 test.yaml
-coverage.txt
+coverage.txt

CHANGELOG-1.3.md

@@ -0,0 +1,96 @@
+---
+title: "Changelog for Version 1.3"
+description: "All changes in version 1.3"
+---
+
+# Changelog for Version 1.3
+
+## Version 1.3.1
+
+The most notable changes in this release are:
+
+* Fallback to the Pod generated name when creating a secret for an unnamed pod #322
+* Use a more refined regex to match valid injectable secret names #320 #281
+* Fixes correct RBAC Role vs ClusterRole when `watchAllNamespaces` is `false` SparebankenVest/public-helm-charts#62
+* Upgrade k8s client v0.23.5
+* Upgrade go 1.18
+* Upgrade alpine base image 3.15.6
+
+### Controller
+
+#### Features
+
+* Upgrade k8s client v0.23.5
+* Upgrade go 1.18
+* Upgrade alpine base image 3.15.6
+
+#### Bug Fixes
+
+* Fallback to the Pod generated name when creating a secret for an unnamed pod #322
+* Use a more refined regex to match valid injectable secret names #320 #281
+
+### Helm Charts
+
+* Add priorityClassName spec to akv2k8s controller deployment SparebankenVest/public-helm-charts#60
+* Fixes correct RBAC Role vs ClusterRole when `watchAllNamespaces` is `false` SparebankenVest/public-helm-charts#62
+* Remove duplicate MTLS_PORT environment variable SparebankenVest/public-helm-charts#70
+* Upgrade PodDistributionBudget api version to v1 SparebankenVest/public-helm-charts#71
+* Update generated CRD
+
+### Chart and Image versions
+
+| Type         | Component                                                                                          | Version |
+| ------------ | -------------------------------------------------------------------------------------------------- | ------- |
+| Helm Chart   | [akv2k8s](https://github.com/SparebankenVest/public-helm-charts/tree/akv2k8s-2.2.0/stable/akv2k8s) | 2.2.0   |
+| Docker Image | spvest/azure-keyvault-controller                                                                   | 1.3.1   |
+| Docker Image | spvest/azure-keyvault-webhook                                                                      | 1.3.1   |
+| Docker Image | spvest/azure-keyvault-env                                                                          | 1.3.1   |
+
+## Version 1.3.0
+
+The most notable changes in this release are:
+
+* Ability to run controller in specific namespace only
+* Ability to allow akvs objects with different labels to be handled by controllers with different authorization policies
+* Generate CRD's from code with controller-gen
+
+
+### Controller
+
+#### Features
+
+* #82 - Allow controller to run in specific namespace only
+* #159 - Generate crd with controller gen
+* #174 - Export certificates stored as Base64 PFX in Azure Key Vault secret object as Kubernetes TLS secret
+* #178 - Allow akvs objects with different labels to be handled by controllers with different authorization policies
+* #202 - Upgrade dependencies k8s to v0.21.2
+* Upgrade to Go 1.16.5
+* Upgrade alpine base image to 3.14.0
+
+#### Bug Fixes
+
+* #209 - Fix using an EC header/footer for ECDSA keys
+
+
+### Docs
+
+* Docs for version `1.3` is default - added version `1.2` to version dropdown
+
+### Helm Charts
+
+* Add generated crd from SparebankenVest/azure-key-vault-to-kubernetes#159
+* Ignore files in .helmignore
+* Add support for watchAllNamespaces
+* SparebankenVest/public-helm-charts#45 - Upgrade cert-manager CRD's to api version v1
+* Remove unused RUNNING_INSIDE_AZURE_AKS env
+* SparebankenVest/public-helm-charts#57 - Add optional pod annotations to the controller
+* SparebankenVest/public-helm-charts#59 - Add optional pod security context
+
+### Chart and Image versions
+
+| Type         | Component                                                                                          | Version |
+| ------------ | -------------------------------------------------------------------------------------------------- | ------- |
+| Helm Chart   | [akv2k8s](https://github.com/SparebankenVest/public-helm-charts/tree/akv2k8s-2.1.0/stable/akv2k8s) | 2.1.0   |
+| Docker Image | spvest/azure-keyvault-controller                                                                   | 1.3.0   |
+| Docker Image | spvest/azure-keyvault-webhook                                                                      | 1.3.0   |
+| Docker Image | spvest/azure-keyvault-env                                                                          | 1.3.0   |

Dockerfile

@@ -1,18 +1,25 @@
 ARG BASEIMAGE=gcr.io/distroless/static:nonroot
-ARG BASE_ALPINE=alpine:3.13.2
-ARG GO_VERSION=1.15.3
+ARG BASE_ALPINE=alpine:3.15.4
+ARG GO_VERSION=1.18.1
 
 # -------
 # Builder
 # -------
-FROM golang:${GO_VERSION} AS builder
+FROM golang:${GO_VERSION} AS base_builder
+ARG PACKAGE
+
+WORKDIR /go/src/${PACKAGE}
+ADD go.mod go.sum /go/src/${PACKAGE}
+RUN go mod download
+
+FROM base_builder AS builder
 ARG PACKAGE
 ARG VCS_REF=noref
 ARG BUILD_SUB_TARGET
 
 WORKDIR /go/src/${PACKAGE}
+
 ADD . .
-RUN go mod download
 RUN GIT_TAG=${VCS_REF} make build${BUILD_SUB_TARGET}
 
 # ------------
@@ -28,7 +35,7 @@ LABEL org.label-schema.vcs-ref=$VCS_REF
 LABEL org.label-schema.vcs-url=$VCS_URL
 LABEL org.label-schema.url=$VCS_URL
 LABEL org.label-schema.description="A Kubernetes Mutating Admission Webhook that adds an init container to a pod that will inject environment variables from Azure Key Vault"
-LABEL org.label-schema.vendor="Sparebanken Vest"      
+LABEL org.label-schema.vendor="Sparebanken Vest"
 LABEL org.label-schema.author="Jon Arild Tørresdal"
 
 COPY --from=builder /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/bin/azure-key-vault-to-kubernetes/azure-keyvault-secrets-webhook /usr/local/bin/
@@ -48,7 +55,7 @@ LABEL org.label-schema.vcs-ref=$VCS_REF
 LABEL org.label-schema.vcs-url=$VCS_URL
 LABEL org.label-schema.url=$VCS_URL
 LABEL org.label-schema.description="A Kubernetes Mutating Admission Webhook that adds an init container to a pod that will inject environment variables from Azure Key Vault"
-LABEL org.label-schema.vendor="Sparebanken Vest"      
+LABEL org.label-schema.vendor="Sparebanken Vest"
 LABEL org.label-schema.author="Jon Arild Tørresdal"
 
 COPY --from=builder /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/bin/azure-key-vault-to-kubernetes/azure-keyvault-controller /usr/local/bin/
@@ -68,7 +75,7 @@ LABEL org.label-schema.vcs-ref=$VCS_REF
 LABEL org.label-schema.vcs-url=$VCS_URL
 LABEL org.label-schema.url=$VCS_URL
 LABEL org.label-schema.description="A Kubernetes Mutating Admission Webhook that adds an init container to a pod that will inject environment variables from Azure Key Vault"
-LABEL org.label-schema.vendor="Sparebanken Vest"      
+LABEL org.label-schema.vendor="Sparebanken Vest"
 LABEL org.label-schema.author="Jon Arild Tørresdal"
 
 COPY --from=builder /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/bin/azure-key-vault-to-kubernetes/azure-keyvault-env /usr/local/bin/

Makefile

@@ -77,8 +77,8 @@ check-mod: mod
 
 .PHONY: lint
 lint: $(TOOLS_DIR)/golangci-lint $(TOOLS_DIR)/misspell
-	$(TOOLS_DIR)/golangci-lint run --timeout=5m
-	$(TOOLS_DIR)/misspell -w $(ALL_DOCS) && \
+	$(TOOLS_DIR)/golangci-lint run --timeout=5m && \
+	find . -type f \( -iname \*.go -o -iname \*.md \) | xargs $(TOOLS_DIR)/misspell -w && \
 	go mod tidy
 
 .PHONY: print-v-webhook
@@ -139,7 +139,7 @@ codegen:
 .PHONY: crdgen
 crdgen: $(TOOLS_DIR)/controller-gen
 	$(TOOLS_DIR)/controller-gen \
-		crd:crdVersions=v1,preserveUnknownFields=false,trivialVersions=true \
+		crd:crdVersions=v1 \
   		paths=./pkg/k8s/apis/azurekeyvault/v1alpha1/... \
   		paths=./pkg/k8s/apis/azurekeyvault/v1/... \
   		paths=./pkg/k8s/apis/azurekeyvault/v2alpha1/... \

README.md

@@ -32,7 +32,7 @@
 
 <p align="center"><i>Documentation available at <a href="https://akv2k8s.io">https://akv2k8s.io</a>. Join our <a href="https://join.slack.com/t/akv2k8s/shared_invite/zt-lfx2qdky-SGjwN8qTfca6bdeIyk46lg">Slack Workspace</a> to ask questions to the akv2k8s community.</i></p>
 
-<p align="center"><i>Please spare one minute to take our survey: <a href="https://www.surveymonkey.com/r/HMFZVYR">https://www.surveymonkey.com/r/HMFZVYR</a>. Why? We have no ide how many are using Akv2k8s, except through user interaction here on GitHub. More importantly - what can we do to make Akv2k8s even better?</i></p>
+<p align="center"><i>Please spare one minute to take our survey: <a href="https://www.surveymonkey.com/r/HMFZVYR">https://www.surveymonkey.com/r/HMFZVYR</a>. Why? We have no idea how many are using Akv2k8s, except through user interaction here on GitHub. More importantly - what can we do to make Akv2k8s even better?</i></p>
 
 ## Overview
 
@@ -41,13 +41,13 @@ Azure Key Vault to Kubernetes (akv2k8s) will make Azure Key Vault objects availa
 * As native Kubernetes `Secret`s 
 * As environment variables directly injected into your Container application
 
-The **Azure Key Vault Controller** (Controller for short) is responsible for synchronizing Secrets, Certificates and Keys from Azure Key Vault to native `Secret`'s in Kubernetes.
+The **Azure Key Vault Controller** (Controller for short) is responsible for synchronizing Secrets, Certificates and Keys from Azure Key Vault to native `Secret`s in Kubernetes.
 
-The **Azure Key Vault Env Injector** (Env Injector for short) is responsible for transparently injecting Azure Key Vault secrets as environment variables into Container applications, without touching disk or expose the actual secret to Kubernetes.
+The **Azure Key Vault Env Injector** (Env Injector for short) is responsible for transparently injecting Azure Key Vault secrets as environment variables into Container applications, without touching disk or exposing the actual secret to Kubernetes.
 
 ## Goals
 
-Goals for this project was:
+The goals for this project were:
 
 1. Avoid a direct program dependency on Azure Key Vault for getting secrets, and adhere to the 12 Factor App principle for configuration (https://12factor.net/config)
 2. Make it simple, secure and low risk to transfer Azure Key Vault secrets into Kubernetes as native Kubernetes secrets
@@ -57,15 +57,15 @@ All of these goals are met.
 
 ## Installation
 
-For installation instructions, see documentation at https://akv2k8s.io/installation/
+For installation instructions, see documentation at https://akv2k8s.io/installation/.
 
 ## Credits
 
 Credit goes to Banzai Cloud for coming up with the [original idea](https://banzaicloud.com/blog/inject-secrets-into-pods-vault/) of environment injection for their [bank-vaults](https://github.com/banzaicloud/bank-vaults) solution, which they use to inject Hashicorp Vault secrets into Pods.
 
 ## Contributing
 
-Development of Azure Key Vault for Kubernetes happens in the open on GitHub, and encourage users to:
+Development of Azure Key Vault for Kubernetes happens in the open on GitHub, and we encourage users to:
 
 * Send a pull request with 
   * any security issues found and fixed
@@ -85,5 +85,5 @@ Azure Key Vault to Kubernetes is licensed under Apache License 2.0.
 
 ### Contribute to the Documentation
 
-The documentation is located in a seperate repository at https://github.com/SparebankenVest/akv2k8s-website. We're using Gatsby + MDX (Markdown + JSX) to generate static docs for https://akv2k8s.io.
+The documentation is located in a separate repository at https://github.com/SparebankenVest/akv2k8s-website. We're using Gatsby + MDX (Markdown + JSX) to generate static docs for https://akv2k8s.io.
 

cmd/azure-keyvault-controller/controller/azureeKeyVaultSecret_test.go

@@ -40,7 +40,6 @@ func TestNullLookup(t *testing.T) {
 }
 
 const (
-	fakeSecret     = "some secret"
 	fakeJsonSecret = `{
 		"someKey": "someValue",
 		"someOtherKey": "someOtherValue"

cmd/azure-keyvault-controller/controller/configmap.go

@@ -37,21 +37,6 @@ import (
 	"k8s.io/client-go/tools/cache"
 )
 
-func convertToConfigMap(obj interface{}) (*corev1.ConfigMap, error) {
-	cm, ok := obj.(*corev1.ConfigMap)
-	if !ok {
-		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
-		if !ok {
-			return nil, fmt.Errorf("couldn't get object from tombstone %#v", obj)
-		}
-		cm, ok = tombstone.Obj.(*corev1.ConfigMap)
-		if !ok {
-			return nil, fmt.Errorf("tombstone contained object that is not a ConfigMap %#v", obj)
-		}
-	}
-	return cm, nil
-}
-
 func (c *Controller) getConfigMapByKey(key string) (*corev1.ConfigMap, error) {
 	namespace, name, err := cache.SplitMetaNamespaceKey(key)
 	if err != nil {
@@ -290,7 +275,7 @@ func determineConfigMapName(azureKeyVaultSecret *akv.AzureKeyVaultSecret) string
 func getMD5HashOfStringValues(values map[string]string) string {
 	var mergedValues bytes.Buffer
 
-	// sort keys to make sure hash is consistant
+	// sort keys to make sure hash is consistent
 	keys := sortStringValueKeys(values)
 
 	for _, k := range keys {

cmd/azure-keyvault-controller/controller/secret.go

@@ -37,21 +37,6 @@ import (
 	"k8s.io/client-go/tools/cache"
 )
 
-func convertToSecret(obj interface{}) (*corev1.Secret, error) {
-	secret, ok := obj.(*corev1.Secret)
-	if !ok {
-		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
-		if !ok {
-			return nil, fmt.Errorf("couldn't get object from tombstone %#v", obj)
-		}
-		secret, ok = tombstone.Obj.(*corev1.Secret)
-		if !ok {
-			return nil, fmt.Errorf("tombstone contained object that is not a Secret %#v", obj)
-		}
-	}
-	return secret, nil
-}
-
 func (c *Controller) getSecretByKey(key string) (*corev1.Secret, error) {
 	namespace, name, err := cache.SplitMetaNamespaceKey(key)
 	if err != nil {
@@ -327,7 +312,7 @@ func determineSecretType(azureKeyVaultSecret *akv.AzureKeyVaultSecret) corev1.Se
 func getMD5HashOfByteValues(values map[string][]byte) string {
 	var mergedValues bytes.Buffer
 
-	// sort keys to make sure hash is consistant
+	// sort keys to make sure hash is consistent
 	keys := sortByteValueKeys(values)
 
 	for _, k := range keys {

cmd/azure-keyvault-controller/controller/secret_handler.go

@@ -265,7 +265,7 @@ func (h *azureKeyHandler) HandleConfigMap() (map[string]string, error) {
 	return values, nil
 }
 
-// Handle getting and formating Azure Key Vault Secret containing mulitple values from Azure Key Vault to Kubernetes
+// Handle getting and formating Azure Key Vault Secret containing multiple values from Azure Key Vault to Kubernetes
 func (h *azureMultiValueSecretHandler) HandleSecret() (map[string][]byte, error) {
 	values := make(map[string][]byte)
 
@@ -300,7 +300,7 @@ func (h *azureMultiValueSecretHandler) HandleSecret() (map[string][]byte, error)
 	return values, nil
 }
 
-// Handle getting and formating Azure Key Vault Secret containing mulitple values from Azure Key Vault to Kubernetes
+// Handle getting and formating Azure Key Vault Secret containing multiple values from Azure Key Vault to Kubernetes
 func (h *azureMultiValueSecretHandler) HandleConfigMap() (map[string]string, error) {
 	values := make(map[string]string)