feat: added upgrade script for secrets (#1967)

Co-authored-by: Jehoszafat Zimnowoda <[email protected]>
Co-authored-by: Ani Argjiri <[email protected]>
Co-authored-by: Dennis van Kekem <[email protected]>

Author: 4 people

tests/fixtures/env/teams/dev/sealedsecrets/42c53642-3b02-4d64-9a15-256d233b7bd2.yaml

@@ -0,0 +1,18 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+    name: test
+    namespace: team-beta
+    annotations:
+        sealedsecrets.bitnami.com/namespace-wide: 'true'
+spec:
+    encryptedData:
+        test: ghi
+    template:
+        immutable: false
+        metadata:
+            name: test
+            namespace: team-beta
+            annotations: {}
+            labels: {}
+        type: kubernetes.io/opaque

tests/fixtures/env/teams/dev/sealedsecrets/a916fd8f-f7d7-4621-908a-6f0cc38dd24b.yaml

@@ -0,0 +1,19 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+    name: beta
+    namespace: team-beta
+    annotations:
+        sealedsecrets.bitnami.com/namespace-wide: 'true'
+spec:
+    encryptedData:
+        password: abc
+        username: def
+    template:
+        immutable: false
+        metadata:
+            name: beta
+            namespace: team-beta
+            annotations: {}
+            labels: {}
+        type: kubernetes.io/opaque

tests/fixtures/env/teams/sealedsecrets.admin.yaml

@@ -87,3 +87,6 @@ operations:
   - version: 3.0.0
     pre:
       - upgrades/pre/upgrade-3-0-0.sh || true
+  - version: 4.4.0
+    pre:
+      - upgrades/pre/upgrade-4-4-0.mjs || true

tests/fixtures/env/teams/sealedsecrets.demo.yaml

@@ -0,0 +1,98 @@
+#!/usr/bin/env zx
+
+import { Glob } from "glob";
+import fs from 'fs/promises'
+import yaml from 'js-yaml'
+import envalid, { str } from "envalid";
+
+
+function createSealedSecret(oldSecret) {
+  const { name, namespace, type, immutable, encryptedData } = oldSecret
+  const annotations = {}
+  const labels = {}
+
+  const oldMetadata = oldSecret.metadata
+  if (oldMetadata) {
+    for (const annotation of oldMetadata.annotations || []) {
+      annotations[annotation.key] = annotation.value
+    }
+    for (const label of oldMetadata.labels || []) {
+      labels[label.key] = label.value
+    }
+  }
+
+  return {
+    'apiVersion': 'bitnami.com/v1alpha1',
+    'kind': 'SealedSecret',
+    'metadata': {
+      name,
+      namespace,
+      'annotations': {
+        'sealedsecrets.bitnami.com/namespace-wide': 'true',
+      },
+    },
+    'spec': {
+      'encryptedData': encryptedData,
+      'template': {
+        'immutable': immutable || false,
+        'metadata': {
+          name,
+          namespace,
+          annotations,
+          labels,
+        },
+        'type': type || 'kubernetes.io/opaque',
+      }
+    }
+  }
+}
+
+
+async function readSecretFile(filename) {
+  const secretYaml = await fs.readFile(filename, 'utf8')
+  return yaml.load(secretYaml)
+}
+
+
+async function writeSecretFile(filename, secret) {
+  const secretYaml = yaml.dump(secret)
+  await fs.writeFile(filename, secretYaml, 'utf8')
+}
+
+
+async function main() {
+  console.log('Migrating secret files')
+  const env = envalid.cleanEnv(process.env, {
+    ENV_DIR: str({desc: 'Values store'}),
+  })
+
+  const secretFiles = new Glob(`${env.ENV_DIR}/env/teams/sealedsecrets.*.yaml`, {})
+  for await (const secretFile of secretFiles) {
+    console.log('Migrating secrets from', secretFile)
+    const oldSecretFile = await readSecretFile(secretFile)
+    // Team values are wrapped in teamConfig.<teamName>.sealedsecrets
+    await Promise.all(
+      Object.entries(oldSecretFile.teamConfig).map(async ([teamName, teamValues]) => {
+        const teamSecretList = teamValues.sealedsecrets
+        if (teamSecretList && teamSecretList.length > 0) {
+          for (const oldSecret of teamSecretList) {
+            const secretId = oldSecret.id
+            const dirName = `${env.ENV_DIR}/env/teams/${teamName}/sealedsecrets`
+            await fs.mkdir(dirName, { recursive: true })
+            const sealedSecretFilename = `${dirName}/${secretId}.yaml`
+            const sealedSecret = createSealedSecret(oldSecret)
+            console.log('Writing migrated secret to', sealedSecretFilename)
+            await writeSecretFile(sealedSecretFilename, sealedSecret)
+          }
+          console.log('Completed migration of secrets in', secretFile)
+        } else {
+          console.log('No secrets found to migrate in', secretFile)
+        }
+      })
+    )
+    console.log('Cleaning up', secretFile)
+    await fs.rm(secretFile)
+  }
+  console.log('Finished migrating secret files.')
+}
+await main()

tests/fixtures/env/teams/sealedsecrets.dev.yaml

@@ -336,7 +336,3 @@ changes:
       - databases.harbor.resources.limits.cpu: '200m'
       - databases.harbor.resources.requests.memory: '192Mi'
       - databases.harbor.resources.requests.cpu: '200m'
-  - version: 33
-    deletions:
-      # FIXME: perform migration of to sealedsecrets dir before performin the removal of the property
-      - 'teamConfig.{team}.sealedsecrets'