From 7b9630e37d5409e669743157a29bcdfd7d29caa3 Mon Sep 17 00:00:00 2001 From: Ahmad Ibrahim Date: Wed, 13 Mar 2024 09:57:46 -0700 Subject: [PATCH 1/6] feat: support pubkey secret creation --- chart/validator/README.md | 80 ++++++++++--------- .../templates/plugin-secret-oci-auth.yaml | 10 +++ .../templates/plugin-secret-oci-pubkey.yaml | 11 +++ .../templates/plugin-secret-oci.yaml | 10 --- chart/validator/values.yaml | 29 ++++--- 5 files changed, 84 insertions(+), 56 deletions(-) create mode 100644 chart/validator/templates/plugin-secret-oci-auth.yaml create mode 100644 chart/validator/templates/plugin-secret-oci-pubkey.yaml delete mode 100644 chart/validator/templates/plugin-secret-oci.yaml diff --git a/chart/validator/README.md b/chart/validator/README.md index 68ad18fa..818fd8fa 100644 --- a/chart/validator/README.md +++ b/chart/validator/README.md @@ -9,43 +9,49 @@ Monitor results created by validator plugins and upload them to a configurable s The following table lists the configurable parameters of the Validator chart and their default values. -| Parameter | Description | Default | -| ------------------------ | ----------------------- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `controllerManager.kubeRbacProxy.args` | | `["--secure-listen-address=0.0.0.0:8443", "--upstream=http://127.0.0.1:8080/", "--logtostderr=true", "--v=0"]` | -| `controllerManager.kubeRbacProxy.containerSecurityContext.allowPrivilegeEscalation` | | `false` | -| `controllerManager.kubeRbacProxy.containerSecurityContext.capabilities.drop` | | `["ALL"]` | -| `controllerManager.kubeRbacProxy.image.repository` | | `"gcr.io/kubebuilder/kube-rbac-proxy"` | -| `controllerManager.kubeRbacProxy.image.tag` | | `"v0.15.0"` | -| `controllerManager.kubeRbacProxy.resources.limits.cpu` | | `"500m"` | -| `controllerManager.kubeRbacProxy.resources.limits.memory` | | `"128Mi"` | -| `controllerManager.kubeRbacProxy.resources.requests.cpu` | | `"5m"` | -| `controllerManager.kubeRbacProxy.resources.requests.memory` | | `"64Mi"` | -| `controllerManager.manager.args` | | `["--health-probe-bind-address=:8081", "--leader-elect"]` | -| `controllerManager.manager.containerSecurityContext.allowPrivilegeEscalation` | | `false` | -| `controllerManager.manager.containerSecurityContext.capabilities.drop` | | `["ALL"]` | -| `controllerManager.manager.image.repository` | | `"quay.io/spectrocloud-labs/validator"` | -| `controllerManager.manager.image.tag` | x-release-please-version | `"v0.0.37"` | -| `controllerManager.manager.resources.limits.cpu` | | `"500m"` | -| `controllerManager.manager.resources.limits.memory` | | `"512Mi"` | -| `controllerManager.manager.resources.requests.cpu` | | `"10m"` | -| `controllerManager.manager.resources.requests.memory` | | `"64Mi"` | -| `controllerManager.manager.sinkWebhookTimeout` | | `"30s"` | -| `controllerManager.replicas` | | `1` | -| `controllerManager.serviceAccount.annotations` | | `{}` | -| `kubernetesClusterDomain` | | `"cluster.local"` | -| `metricsService.ports` | | `[{"name": "https", "port": 8443, "protocol": "TCP", "targetPort": "https"}]` | -| `metricsService.type` | | `"ClusterIP"` | -| `env` | | `[]` | -| `proxy.enabled` | | `false` | -| `proxy.image` | | `"quay.io/spectrocloud-labs/validator-certs-init:latest"` | -| `proxy.secretName` | | `"proxy-cert"` | -| `proxy.createSecret` | | `false` | -| `proxy.caCert` | Raw CA certificate, required if createSecret is true | `""` | -| `sink` | | `{}` | -| `plugins` | | `[{"chart": {"name": "validator-plugin-aws", "repository": "https://spectrocloud-labs.github.io/validator-plugin-aws", "version": "v0.0.18"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.15.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/spectrocloud-labs/validator-plugin-aws\n tag: v0.0.18\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Option 1: Leave secret undefined for implicit auth (node instance IAM role, IMDSv2, etc.)\n # Option 2: Create a secret via pluginSecrets (see below). Note: secretName and pluginSecrets.aws.secretName must match.\n # Option 3: Specify the name of a preexisting secret in your target cluster and leave pluginSecrets.aws undefined.\n #\n secret: {} # Delete these curly braces if you're specifying secretName!\n # secretName: aws-creds\n\n # Override the service account used by AWS validator (optional, could be used for IMDSv2 on EKS)\n # WARNING: the chosen service account must include all RBAC privileges found in the AWS plugin template:\n # https://github.com/spectrocloud-labs/validator-plugin-aws/blob/main/chart/validator-plugin-aws/templates/manager-rbac.yaml\n serviceAccountName: \"\""}, {"chart": {"name": "validator-plugin-azure", "repository": "https://spectrocloud-labs.github.io/validator-plugin-azure", "version": "v0.0.2"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.15.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/spectrocloud-labs/validator-plugin-azure\n tag: v0.0.2\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n # Optionally specify a volumeMount to mount a volume containing a private key\n # to leverage Azure Service principal with certificate authentication.\n volumeMounts: []\n replicas: 1\n serviceAccount:\n annotations: {}\n # Optionally specify a volume containing a private key to leverage Azure Service\n # principal with certificate authentication.\n volumes: []\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Option 1: Leave secret undefined for WorkloadIdentityCredential authentication.\n # Option 2: Create a secret via pluginSecrets (see below). Note: secretName and pluginSecrets.azure.secretName must match.\n # Option 3: Specify the name of a preexisting secret in your target cluster and leave pluginSecrets.azure undefined.\n #\n secret: {} # Delete these curly braces if you're specifying secretName!\n # secretName: azure-creds\n\n # Override the service account used by Azure validator (optional, could be used for WorkloadIdentityCredentials on AKS)\n # WARNING: the chosen service account must include all RBAC privileges found in the Azure plugin template:\n # https://github.com/spectrocloud-labs/validator-plugin-aws/blob/main/chart/validator-plugin-azure/templates/manager-rbac.yaml\n serviceAccountName: \"\""}, {"chart": {"name": "validator-plugin-vsphere", "repository": "https://spectrocloud-labs.github.io/validator-plugin-vsphere", "version": "v0.0.15"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.14.1\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/spectrocloud-labs/validator-plugin-vsphere\n tag: v0.0.13\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Option 1: Create a secret via pluginSecrets (see below). Note: secretName and pluginSecrets.vSphere.secretName must match.\n # Option 2: Specify the name of a preexisting secret in your target cluster and leave pluginSecrets.vSphere undefined.\n secretName: vsphere-creds"}, {"chart": {"name": "validator-plugin-network", "repository": "https://spectrocloud-labs.github.io/validator-plugin-network", "version": "v0.0.9"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.15.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: true\n capabilities:\n add:\n - NET_RAW\n drop:\n - ALL\n image:\n repository: quay.io/spectrocloud-labs/validator-plugin-network\n tag: v0.0.9\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}]` | -| `pluginSecrets.aws` | Don't forget to delete these curly braces if you're specifying credentials here! | `{}` | -| `pluginSecrets.azure` | Don't forget to delete these curly braces if you're specifying credentials here! | `{}` | -| `pluginSecrets.vSphere` | Don't forget to delete these curly braces if you're specifying credentials here! | `{}` | +| Parameter | Description | Default | +| ------------------------ | ----------------------- | -------------- | +| `controllerManager.kubeRbacProxy.args` | | `["--secure-listen-address=0.0.0.0:8443", "--upstream=http://127.0.0.1:8080/", "--logtostderr=true", "--v=0"]` | +| `controllerManager.kubeRbacProxy.containerSecurityContext.allowPrivilegeEscalation` | | `false` | +| `controllerManager.kubeRbacProxy.containerSecurityContext.capabilities.drop` | | `["ALL"]` | +| `controllerManager.kubeRbacProxy.image.repository` | | `"gcr.io/kubebuilder/kube-rbac-proxy"` | +| `controllerManager.kubeRbacProxy.image.tag` | | `"v0.15.0"` | +| `controllerManager.kubeRbacProxy.resources.limits.cpu` | | `"500m"` | +| `controllerManager.kubeRbacProxy.resources.limits.memory` | | `"128Mi"` | +| `controllerManager.kubeRbacProxy.resources.requests.cpu` | | `"5m"` | +| `controllerManager.kubeRbacProxy.resources.requests.memory` | | `"64Mi"` | +| `controllerManager.manager.args` | | `["--health-probe-bind-address=:8081", "--leader-elect"]` | +| `controllerManager.manager.containerSecurityContext.allowPrivilegeEscalation` | | `false` | +| `controllerManager.manager.containerSecurityContext.capabilities.drop` | | `["ALL"]` | +| `controllerManager.manager.image.repository` | | `"quay.io/spectrocloud-labs/validator"` | +| `controllerManager.manager.image.tag` | x-release-please-version | `"v0.0.37"` | +| `controllerManager.manager.resources.limits.cpu` | | `"500m"` | +| `controllerManager.manager.resources.limits.memory` | | `"512Mi"` | +| `controllerManager.manager.resources.requests.cpu` | | `"10m"` | +| `controllerManager.manager.resources.requests.memory` | | `"64Mi"` | +| `controllerManager.manager.sinkWebhookTimeout` | | `"30s"` | +| `controllerManager.replicas` | | `1` | +| `controllerManager.serviceAccount.annotations` | | `{}` | +| `kubernetesClusterDomain` | | `"cluster.local"` | +| `metricsService.ports` | | `[{"name": "https", "port": 8443, "protocol": "TCP", "targetPort": "https"}]` | +| `metricsService.type` | | `"ClusterIP"` | +| `env` | | `[]` | +| `proxy.enabled` | | `false` | +| `proxy.image` | | `"quay.io/spectrocloud-labs/validator-certs-init:latest"` | +| `proxy.secretName` | | `"proxy-cert"` | +| `proxy.createSecret` | | `false` | +| `proxy.caCert` | | `"-----BEGIN CERTIFICATE-----\n\n-----END CERTIFICATE-----\n"` | +| `sink` | | `{}` | +| `cleanup.image` | | `"gcr.io/spectro-images-public/release/spectro-cleanup:1.2.0"` | +| `cleanup.grpcServerEnabled` | | `true` | +| `cleanup.hostname` | | `"validator-cleanup-service"` | +| `cleanup.port` | | `3006` | +| `plugins` | | `[{"chart": {"name": "validator-plugin-aws", "repository": "https://spectrocloud-labs.github.io/validator-plugin-aws", "version": "v0.0.18"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.15.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/spectrocloud-labs/validator-plugin-aws\n tag: v0.0.18\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Option 1: Leave secret undefined for implicit auth (node instance IAM role, IMDSv2, etc.)\n # Option 2: Create a secret via pluginSecrets (see below). Note: secretName and pluginSecrets.aws.secretName must match.\n # Option 3: Specify the name of a preexisting secret in your target cluster and leave pluginSecrets.aws undefined.\n #\n secret: {} # Delete these curly braces if you're specifying secretName!\n # secretName: aws-creds\n\n # Override the service account used by AWS validator (optional, could be used for IMDSv2 on EKS)\n # WARNING: the chosen service account must include all RBAC privileges found in the AWS plugin template:\n # https://github.com/spectrocloud-labs/validator-plugin-aws/blob/main/chart/validator-plugin-aws/templates/manager-rbac.yaml\n serviceAccountName: \"\""}, {"chart": {"name": "validator-plugin-azure", "repository": "https://spectrocloud-labs.github.io/validator-plugin-azure", "version": "v0.0.2"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.15.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/spectrocloud-labs/validator-plugin-azure\n tag: v0.0.2\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n # Optionally specify a volumeMount to mount a volume containing a private key\n # to leverage Azure Service principal with certificate authentication.\n volumeMounts: []\n replicas: 1\n serviceAccount:\n annotations: {}\n # Optionally specify a volume containing a private key to leverage Azure Service\n # principal with certificate authentication.\n volumes: []\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Option 1: Leave secret undefined for WorkloadIdentityCredential authentication.\n # Option 2: Create a secret via pluginSecrets (see below). Note: secretName and pluginSecrets.azure.secretName must match.\n # Option 3: Specify the name of a preexisting secret in your target cluster and leave pluginSecrets.azure undefined.\n #\n secret: {} # Delete these curly braces if you're specifying secretName!\n # secretName: azure-creds\n\n # Override the service account used by Azure validator (optional, could be used for WorkloadIdentityCredentials on AKS)\n # WARNING: the chosen service account must include all RBAC privileges found in the Azure plugin template:\n # https://github.com/spectrocloud-labs/validator-plugin-aws/blob/main/chart/validator-plugin-azure/templates/manager-rbac.yaml\n serviceAccountName: \"\""}, {"chart": {"name": "validator-plugin-vsphere", "repository": "https://spectrocloud-labs.github.io/validator-plugin-vsphere", "version": "v0.0.15"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.14.1\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/spectrocloud-labs/validator-plugin-vsphere\n tag: v0.0.15\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP\nauth:\n # Option 1: Create a secret via pluginSecrets (see below). Note: secretName and pluginSecrets.vSphere.secretName must match.\n # Option 2: Specify the name of a preexisting secret in your target cluster and leave pluginSecrets.vSphere undefined.\n secretName: vsphere-creds"}, {"chart": {"name": "validator-plugin-network", "repository": "https://spectrocloud-labs.github.io/validator-plugin-network", "version": "v0.0.9"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.15.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: true\n capabilities:\n add:\n - NET_RAW\n drop:\n - ALL\n image:\n repository: quay.io/spectrocloud-labs/validator-plugin-network\n tag: v0.0.9\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}, {"chart": {"name": "validator-plugin-oci", "repository": "https://spectrocloud-labs.github.io/validator-plugin-oci", "version": "v0.0.7"}, "values": "controllerManager:\n kubeRbacProxy:\n args:\n - --secure-listen-address=0.0.0.0:8443\n - --upstream=http://127.0.0.1:8080/\n - --logtostderr=true\n - --v=0\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: gcr.io/kubebuilder/kube-rbac-proxy\n tag: v0.15.0\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 5m\n memory: 64Mi\n manager:\n args:\n - --health-probe-bind-address=:8081\n - --leader-elect\n containerSecurityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL\n image:\n repository: quay.io/spectrocloud-labs/validator-plugin-oci\n tag: v0.0.7\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 10m\n memory: 64Mi\n replicas: 1\n serviceAccount:\n annotations: {}\nkubernetesClusterDomain: cluster.local\nmetricsService:\n ports:\n - name: https\n port: 8443\n protocol: TCP\n targetPort: https\n type: ClusterIP"}]` | +| `pluginSecrets.aws` | Don't forget to delete these curly braces if you're specifying credentials here! | `{}` | +| `pluginSecrets.azure` | Don't forget to delete these curly braces if you're specifying credentials here! | `{}` | +| `pluginSecrets.vSphere` | Don't forget to delete these curly braces if you're specifying credentials here! | `{}` | +| `pluginSecrets.oci.auth` | Don't forget to delete these square brackets if you're specifying credentials here! | `[]` | +| `pluginSecrets.oci.pubKeys` | Don't forget to delete these square brackets if you're specifying public keys here! | `[]` | diff --git a/chart/validator/templates/plugin-secret-oci-auth.yaml b/chart/validator/templates/plugin-secret-oci-auth.yaml new file mode 100644 index 00000000..1eea6aa9 --- /dev/null +++ b/chart/validator/templates/plugin-secret-oci-auth.yaml @@ -0,0 +1,10 @@ +{{- range .Values.pluginSecrets.oci.auth }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ required ".Values.pluginSecrets.oci.auth.secretName is required!" .secretName }} +stringData: + username: {{ required ".Values.pluginSecrets.oci.auth.username is required!" .username }} + password: {{ required ".Values.pluginSecrets.oci.auth.password is required!" .password }} +--- +{{- end }} diff --git a/chart/validator/templates/plugin-secret-oci-pubkey.yaml b/chart/validator/templates/plugin-secret-oci-pubkey.yaml new file mode 100644 index 00000000..eea4df8f --- /dev/null +++ b/chart/validator/templates/plugin-secret-oci-pubkey.yaml @@ -0,0 +1,11 @@ +{{- range .Values.pluginSecrets.oci.pubKeys }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ required ".Values.pluginSecrets.oci.pubKeys.secretName is required!" .secretName }} +data: + {{- range $key, $val := . }} + {{ $key }}: {{ $val | b64enc | quote }} + {{- end }} +--- +{{- end }} diff --git a/chart/validator/templates/plugin-secret-oci.yaml b/chart/validator/templates/plugin-secret-oci.yaml deleted file mode 100644 index 0ff0938c..00000000 --- a/chart/validator/templates/plugin-secret-oci.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- range .Values.pluginSecrets.oci }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ required ".Values.pluginSecrets.oci.secretName is required!" .secretName }} -stringData: - username: {{ required ".Values.pluginSecrets.oci.username is required!" .username }} - password: {{ required ".Values.pluginSecrets.oci.password is required!" .password }} ---- -{{- end }} diff --git a/chart/validator/values.yaml b/chart/validator/values.yaml index ebc23efe..5ff05afe 100644 --- a/chart/validator/values.yaml +++ b/chart/validator/values.yaml @@ -372,7 +372,7 @@ plugins: - chart: name: validator-plugin-oci repository: "https://spectrocloud-labs.github.io/validator-plugin-oci" - version: v0.0.2 + version: v0.0.7 values: |- controllerManager: kubeRbacProxy: @@ -407,7 +407,7 @@ plugins: - ALL image: repository: quay.io/spectrocloud-labs/validator-plugin-oci - tag: v0.0.2 + tag: v0.0.7 resources: limits: cpu: 500m @@ -477,12 +477,23 @@ pluginSecrets: # vcenterServer: "" # insecureSkipVerify: "" - # If installing the OCI plugin and validating against private registries, the below config is required unless the following applies: - # - The target cluster already contains secrets with the correct format for all private registries. - # If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci.yaml for - # an example of the expected format and ensure that it exists in the same namespace as the Helm release. - # - oci: [] # Don't forget to delete these square brackets if you're specifying credentials here! - # - secretName: registry-creds # ensure this matches the secretName in the OciRegistryRule + oci: + # If installing the OCI plugin and validating against private registries, the below config is required unless the following applies: + # - The target cluster already contains secrets with the correct format for all private registries. + # If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci-auth.yaml for + # an example of the expected format and ensure that it exists in the same namespace as the Helm release. + # + auth: [] # Don't forget to delete these square brackets if you're specifying credentials here! + # - secretName: registry-creds # ensure this matches the credentials secretName in the OciRegistryRule # username: username # for ECR Registries, store the AWS_ACCESS_KEY_ID here # password: pa$$w0rd # for ECR Registries, store the AWS_SECRET_ACCESS_KEY here + # + # If installing the OCI plugin and enabling signature verification of artifacts, the below config is required unless the following applies: + # - The target cluster already contains secrets with the correct format for all public keys used for signing artifacts. + # If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci-pubkey.yaml for + # an example of the expected format and ensure that it exists in the same namespace as the Helm release. + # + pubKeys: [] # Don't forget to delete these square brackets if you're specifying public keys here! + # - secretName: cosign-public-keys # ensure this matches the public key secretName in the OciRegistryRule + # pubkey1.pub: # ensure the key name ends in .pub + # pubkey2.pub: From 095b5b92816c7fe6fd93bf7c44a36beb58148b6d Mon Sep 17 00:00:00 2001 From: Ahmad Ibrahim Date: Wed, 13 Mar 2024 10:12:43 -0700 Subject: [PATCH 2/6] feat: add support for .env files --- .gitignore | 5 ++++- Makefile | 6 +++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index dfe0c5ea..eaf77b75 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ - # Binaries for programs and plugins *.exe *.exe~ @@ -27,3 +26,7 @@ Dockerfile.cross *.swp *.swo *~ + +# misc +.DS_Store +.env diff --git a/Makefile b/Makefile index 04163be2..76042296 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,7 @@ +ifneq (,$(wildcard ./.env)) + include .env + export +endif # Image URL to use all building/pushing image targets IMG ?= quay.io/spectrocloud-labs/validator:latest @@ -201,4 +205,4 @@ helm-package: generate manifests .PHONY: frigate frigate: - frigate gen chart/validator --no-deps -o markdown > chart/validator/README.md \ No newline at end of file + frigate gen chart/validator --no-deps -o markdown > chart/validator/README.md From 8b1895ce520fde83b6f935d5673ff04e29cbc419 Mon Sep 17 00:00:00 2001 From: Ahmad Ibrahim Date: Wed, 13 Mar 2024 12:38:30 -0700 Subject: [PATCH 3/6] fix: update values to address linting issues --- chart/validator/values.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/chart/validator/values.yaml b/chart/validator/values.yaml index 5ff05afe..ea5228a2 100644 --- a/chart/validator/values.yaml +++ b/chart/validator/values.yaml @@ -483,17 +483,17 @@ pluginSecrets: # If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci-auth.yaml for # an example of the expected format and ensure that it exists in the same namespace as the Helm release. # - auth: [] # Don't forget to delete these square brackets if you're specifying credentials here! - # - secretName: registry-creds # ensure this matches the credentials secretName in the OciRegistryRule - # username: username # for ECR Registries, store the AWS_ACCESS_KEY_ID here - # password: pa$$w0rd # for ECR Registries, store the AWS_SECRET_ACCESS_KEY here - # + auth: [] # Don't forget to delete these square brackets if you're specifying credentials here! + # - secretName: registry-creds # ensure this matches the credentials secretName in the OciRegistryRule + # username: username # for ECR Registries, store the AWS_ACCESS_KEY_ID here + # password: pa$$w0rd # for ECR Registries, store the AWS_SECRET_ACCESS_KEY here + # If installing the OCI plugin and enabling signature verification of artifacts, the below config is required unless the following applies: # - The target cluster already contains secrets with the correct format for all public keys used for signing artifacts. # If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci-pubkey.yaml for # an example of the expected format and ensure that it exists in the same namespace as the Helm release. # - pubKeys: [] # Don't forget to delete these square brackets if you're specifying public keys here! - # - secretName: cosign-public-keys # ensure this matches the public key secretName in the OciRegistryRule - # pubkey1.pub: # ensure the key name ends in .pub - # pubkey2.pub: + pubKeys: [] # Don't forget to delete these square brackets if you're specifying public keys here! + # - secretName: cosign-public-keys # ensure this matches the public key secretName in the OciRegistryRule + # pubkey1.pub: # ensure the key name ends in .pub + # pubkey2.pub: From e7cfde36fa2b86f5fc787b492e84e193a39a3b99 Mon Sep 17 00:00:00 2001 From: Ahmad Ibrahim Date: Wed, 13 Mar 2024 13:36:11 -0700 Subject: [PATCH 4/6] feat: ensure pub key data is only added data key has suffix .pub --- chart/validator/templates/plugin-secret-oci-pubkey.yaml | 2 ++ chart/validator/values.yaml | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/chart/validator/templates/plugin-secret-oci-pubkey.yaml b/chart/validator/templates/plugin-secret-oci-pubkey.yaml index eea4df8f..cbb6d986 100644 --- a/chart/validator/templates/plugin-secret-oci-pubkey.yaml +++ b/chart/validator/templates/plugin-secret-oci-pubkey.yaml @@ -5,7 +5,9 @@ metadata: name: {{ required ".Values.pluginSecrets.oci.pubKeys.secretName is required!" .secretName }} data: {{- range $key, $val := . }} + {{- if hasSuffix ".pub" $key }} {{ $key }}: {{ $val | b64enc | quote }} {{- end }} + {{- end }} --- {{- end }} diff --git a/chart/validator/values.yaml b/chart/validator/values.yaml index ea5228a2..191cc17f 100644 --- a/chart/validator/values.yaml +++ b/chart/validator/values.yaml @@ -495,5 +495,7 @@ pluginSecrets: # pubKeys: [] # Don't forget to delete these square brackets if you're specifying public keys here! # - secretName: cosign-public-keys # ensure this matches the public key secretName in the OciRegistryRule - # pubkey1.pub: # ensure the key name ends in .pub - # pubkey2.pub: + # key1.pub: | # multiple public keys can be added to your secret, ensure each key name ends in .pub + # -----BEGIN PUBLIC KEY----- + # + # -----END PUBLIC KEY----- From 03dc7a7d8291bab545a64e90bb9627bf232b1468 Mon Sep 17 00:00:00 2001 From: Ahmad Ibrahim Date: Wed, 13 Mar 2024 18:34:24 -0700 Subject: [PATCH 5/6] chore: bump oci plugin to v0.0.8 --- chart/validator/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chart/validator/values.yaml b/chart/validator/values.yaml index 191cc17f..3678fe44 100644 --- a/chart/validator/values.yaml +++ b/chart/validator/values.yaml @@ -372,7 +372,7 @@ plugins: - chart: name: validator-plugin-oci repository: "https://spectrocloud-labs.github.io/validator-plugin-oci" - version: v0.0.7 + version: v0.0.8 values: |- controllerManager: kubeRbacProxy: @@ -407,7 +407,7 @@ plugins: - ALL image: repository: quay.io/spectrocloud-labs/validator-plugin-oci - tag: v0.0.7 + tag: v0.0.8 resources: limits: cpu: 500m From 2e7c6f76dd26909761b1ff3db2e57655b9083785 Mon Sep 17 00:00:00 2001 From: Ahmad Ibrahim Date: Thu, 14 Mar 2024 00:44:05 -0700 Subject: [PATCH 6/6] feat: update validationresults crd --- ...n.spectrocloud.labs_validationresults.yaml | 52 +++++++++++++++++-- 1 file changed, 47 insertions(+), 5 deletions(-) diff --git a/chart/validator/crds/validation.spectrocloud.labs_validationresults.yaml b/chart/validator/crds/validation.spectrocloud.labs_validationresults.yaml index e027bc44..bd8d6a32 100644 --- a/chart/validator/crds/validation.spectrocloud.labs_validationresults.yaml +++ b/chart/validator/crds/validation.spectrocloud.labs_validationresults.yaml @@ -62,6 +62,52 @@ spec: description: ValidationResultStatus defines the observed state of ValidationResult properties: conditions: + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + state: + type: string + validationConditions: items: properties: details: @@ -87,7 +133,7 @@ spec: type: string status: description: True if the validation rule succeeded, otherwise - False + False. type: string validationRule: description: Unique, one-word description of the validation @@ -104,10 +150,6 @@ spec: - validationType type: object type: array - sinkState: - type: string - state: - type: string required: - state type: object