OT-CONTAINER-KIT
/
k8s-vault-webhook
mirror of https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: OT-CONTAINER-KIT:master
Branches Tags
OT-CONTAINER-KIT:master
OT-CONTAINER-KIT:gh-pages
OT-CONTAINER-KIT:v4.0
OT-CONTAINER-KIT:v3.0
OT-CONTAINER-KIT:v2.0
OT-CONTAINER-KIT:v1.0
..
compare: OT-CONTAINER-KIT:v3.0
Branches Tags
OT-CONTAINER-KIT:master
OT-CONTAINER-KIT:gh-pages
OT-CONTAINER-KIT:v4.0
OT-CONTAINER-KIT:v3.0
OT-CONTAINER-KIT:v2.0
OT-CONTAINER-KIT:v1.0

No commits in common. "master" and "v3.0" have entirely different histories.
master ... v3.0

31 changed files with 64 additions and 437 deletions
Show Stats Expand all files Collapse all files

23
.azure-pipelines/pipeline.yml
View File

@ -1,23 +0,0 @@
---
trigger:
- master
pr:
branches:
include:
- master
resources:
repositories:
- repository: golang-template
type: github
name: opstree/azure-devops-template
endpoint: OT-CONTAINER-KIT
extends:
template: golang-ci.yaml@golang-template
parameters:
ApplicationName: k8s-vault-webhook
QuayImageName: opstree/k8s-vault-webhook
GithubImageName: ot-container-kit/k8s-vault-webhook/k8s-vault-webhook
BuildDocs: true

49
.github/workflows/workflow.yaml vendored Normal file
View File

@ -0,0 +1,49 @@
---
name: CI Pipeline
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Setup Go
uses: actions/setup-go@v2
with:
go-version: '1.15.0'
- name: Building code
run: |
make build-code
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Building Image
uses: docker/build-push-action@v2
with:
context: .
file: ./Dockerfile
push: false
tags: opstree/k8s-vault-webhook:latest
golangci:
name: lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: golangci-lint
uses: golangci/golangci-lint-action@v2
with:
version: v1.29
args: --timeout 5m0s

1
.gitignore vendored
View File

@ -1,3 +1,2 @@
k8s-vault-webhook k8s-vault-webhook
docs/build/ docs/build/
bin

10
CHANGELOG.md
View File

@ -1,13 +1,3 @@
### v4.0
##### May 16, 2021
#### :tada: [Features Added]
- Added GCP secret Manager support
- Added CI pipeline using Azure DevOps
- Authenticate and authorize using GCP service-account and annotations
- Secret injection in pods/containers from GCP Secret Manager
### v3.0 ### v3.0
##### May 9, 2021 ##### May 9, 2021

2
Makefile
View File

@ -2,7 +2,7 @@
REGISTRY ?= quay.io REGISTRY ?= quay.io
REPOSITORY ?= $(REGISTRY)/opstree REPOSITORY ?= $(REGISTRY)/opstree
ARTIFACT_NAME=k8s-vault-webhook ARTIFACT_NAME=k8s-vault-webhook
VERSION = 4.0 VERSION = 3.0
all: build-code build-image all: build-code build-image

13
README.md
View File

@ -3,8 +3,8 @@
</div> </div>
<p align="center"> <p align="center">
<a href="https://dev.azure.com/opstreedevops/DevOps/_build?definitionId=4"> <a href="https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook">
<img src="https://dev.azure.com/opstreedevops/DevOps/_apis/build/status/k8s-vault-webhook/k8s-vault-webhook?branchName=master" alt="Azure Pipelines"> <img src="https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook/workflows/CI%20Pipeline/badge.svg" alt="Github CI">
</a> </a>
<a href="https://goreportcard.com/report/github.com/OT-CONTAINER-KIT/k8s-vault-webhook"> <a href="https://goreportcard.com/report/github.com/OT-CONTAINER-KIT/k8s-vault-webhook">
<img src="https://goreportcard.com/badge/github.com/OT-CONTAINER-KIT/k8s-vault-webhook" alt="GoReportCard"> <img src="https://goreportcard.com/badge/github.com/OT-CONTAINER-KIT/k8s-vault-webhook" alt="GoReportCard">
@ -28,16 +28,15 @@ The motive of creating this project is to provide a dynamic secret injection to
Documentation is available here:- https://ot-container-kit.github.io/k8s-vault-webhook/ Documentation is available here:- https://ot-container-kit.github.io/k8s-vault-webhook/
Blog Link:- https://blog.opstree.com/2021/09/14/introducing-kubernetes-vault-web-hook/
The secret managers which are currently supported:- The secret managers which are currently supported:-
- **[Hashicorp Vault](https://www.vaultproject.io/)** - **[Hashicorp Vault](https://www.vaultproject.io/)**
- **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)** - **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)**
- **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)** - **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)**
- **[GCP Secret Manager](https://cloud.google.com/secret-manager)**
This project is based on secret-consumer-webhook. Please check out the source code at https://github.com/innovia/secrets-consumer-webhook. There are some secret managers which are planned to be implemented in future.
- **[GCP Secret Manager](https://cloud.google.com/secret-manager)**
### Supported Features ### Supported Features
@ -49,8 +48,6 @@ This project is based on secret-consumer-webhook. Please check out the source co
- Fetch secrets from Azure Key Vault and inject them in pods/containers - Fetch secrets from Azure Key Vault and inject them in pods/containers
- Pod AD identity and Service principal based authentication in Azure - Pod AD identity and Service principal based authentication in Azure
- Authentication with AWS Secret Manager with access key and iam role - Authentication with AWS Secret Manager with access key and iam role
- Authenticate and authorize using GCP service-account and annotations
- Secret injection in pods/containers from GCP Secret Manager
- Support regex to inject all secrets from a certain path of Vault - Support regex to inject all secrets from a certain path of Vault
- Inject secrets directly to the process of container, i.e. after the injection you cannot read secrets from the environment variable - Inject secrets directly to the process of container, i.e. after the injection you cannot read secrets from the environment variable

1
VERSION
View File

@ -1 +0,0 @@
v4.0

16
annotations.go
View File

@ -1,22 +1,6 @@
package main package main
const ( const (
// AnnotationGCPSecretManagerEnabled if enabled use GCP secret manager
AnnotationGCPSecretManagerEnabled = "gcp.opstree.secret.manager/enabled"
// AnnotationGCPSecretManagerProjectID the gcp project id to use for the secret manager
AnnotationGCPSecretManagerProjectID = "gcp.opstree.secret.manager/project-id"
// AnnotationGCPSecretManagerSecretName the name of the GCP secret
AnnotationGCPSecretManagerSecretName = "gcp.opstree.secret.manager/secret-name"
// AnnotationGCPSecretManagerSecretVersion the version number for the secret
AnnotationGCPSecretManagerSecretVersion = "gcp.opstree.secret.manager/secret-version"
// AnnotationGCPSecretManagerGCPServiceAccountKeySecretName is the secret name where the GCP service account credentials
// are stored and has teh permissions to access the secret
AnnotationGCPSecretManagerGCPServiceAccountKeySecretName = "gcp.opstree.secret.manager/gcp-service-account-key-secret-name"
// AnnotationAzureKeyVaultEnabled if enabled it will use Azure Key Vault // AnnotationAzureKeyVaultEnabled if enabled it will use Azure Key Vault
AnnotationAzureKeyVaultEnabled = "azure.opstree.secret.manager/enabled" AnnotationAzureKeyVaultEnabled = "azure.opstree.secret.manager/enabled"

2
docs/src/.vuepress/config.js
View File

@ -71,7 +71,6 @@ module.exports = {
'hashicorp-vault', 'hashicorp-vault',
'aws-secret-manager', 'aws-secret-manager',
'azure-integration', 'azure-integration',
'gcp-secret-manager',
] ]
}, },
{ {
@ -81,7 +80,6 @@ module.exports = {
'hashicorp-vault-example', 'hashicorp-vault-example',
'aws-secret-manager-example', 'aws-secret-manager-example',
'azure-examples', 'azure-examples',
'gcp-secret-manager-example',
] ]
}, },
{ {

3
docs/src/guide/README.md
View File

@ -13,6 +13,9 @@ The secret managers which are currently supported:-
- **[Hashicorp Vault](https://www.vaultproject.io/)** - **[Hashicorp Vault](https://www.vaultproject.io/)**
- **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)** - **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)**
There are some secret managers which are planned to be implemented in future.
- **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)** - **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)**
- **[GCP Secret Manager](https://cloud.google.com/secret-manager)** - **[GCP Secret Manager](https://cloud.google.com/secret-manager)**

13
docs/src/guide/annotations.md
View File

@ -8,6 +8,9 @@ The annotations which are currently supported:-
- **[Hashicorp Vault](https://www.vaultproject.io/)** - **[Hashicorp Vault](https://www.vaultproject.io/)**
- **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)** - **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)**
- **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)** - **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)**
There are some other annotations which are planned to be implemented in future.
- **[GCP Secret Manager](https://cloud.google.com/secret-manager)** - **[GCP Secret Manager](https://cloud.google.com/secret-manager)**
## Vault Annotations ## Vault Annotations
@ -43,13 +46,3 @@ The available annotations for k8s vault webhook are:-
|--------|---------------|------------|-----------| |--------|---------------|------------|-----------|
|`azure.secret.manager/enabled`| Enable the Azure Key Vault | - | false | |`azure.secret.manager/enabled`| Enable the Azure Key Vault | - | false |
|`azure.secret.manager/vault-name`| Name of the Azure Key Vault in which secrets are held | no | test-secret | |`azure.secret.manager/vault-name`| Name of the Azure Key Vault in which secrets are held | no | test-secret |
## GCP Annotations
|**Name**|**Description**|**Required**|**Default**|
|--------|---------------|------------|-----------|
|`gcp.opstree.secret.manager/enabled`| enable the GCP secret manager | - | false |
|`gcp.opstree.secret.manager/project-id` | GCP Project ID | Yes | - |
|`gcp.opstree.secret.manager/gcp-service-account-key-secret-name` | GCP IAM service account secret name (file name **must be** `service-account.json`) | No | Google Default Application Credentials |
|`gcp.opstree.secret.manager/secret-name` | secret name | Yes | - |
|`gcp.opstree.secret.manager/secret-version` | specify the secret version as string | No | Latest |

10
docs/src/guide/changelog.md
View File

@ -1,13 +1,3 @@
### v4.0
**May 16, 2021**
**:tada: [Features Added]**
- Added GCP secret Manager support
- Added CI pipeline using Azure DevOps
- Authenticate and authorize using GCP service-account and annotations
- Secret injection in pods/containers from GCP Secret Manager
### v3.0 ### v3.0
**May 9, 2021** **May 9, 2021**

70
docs/src/guide/gcp-secret-manager-example.md
View File

@ -1,70 +0,0 @@
# GCP Secret Manager
Let's try to create a deployment to inject secrets directly from GCP Secret Manager. For example, purpose we are taking mysql as deployment and then we will try to set mysql root password using k8s-vault-webhook.
We can use our [example](https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook/tree/master/example) folder.
The environment variables will get substitute automatically, we just have to provide some custom annotations.
```yaml
template:
metadata:
labels:
app: k8s-gcp-mysql
tier: mysql
annotations:
gcp.opstree.secret.manager/enabled: "true"
gcp.opstree.secret.manager/project-id: "graceful-flag-209120"
gcp.opstree.secret.manager/secret-name: "test-secret"
gcp.opstree.secret.manager/secret-version: "3"
gcp.opstree.secret.manager/gcp-service-account-key-secret-name: "gcp-sa"
spec:
containers:
- image: opstree/mysql:latest
name: mysql
ports:
- containerPort: 3306
name: mysql
```
Let's try to apply the deployment manifest.
```shell
$ kubectl apply -f example/gcp-mysql-example.yaml
...
deployment.apps/k8s-gcp-mysql configured
```
Verify the mysql pods are running or not by using `kubectl` command line.
```shell
$ kubectl get pods
...
NAME READY STATUS RESTARTS AGE
k8s-gcp-mysql-7b45bbc486-8w55w 1/1 Running 0 16h
```
Now let's try to get inside the `mysql` pod and see if the GCP Secret Manager's password is working fine or not.
```shell
$ kubectl exec -it k8s-gcp-mysql-7b45bbc486-8w55w \
-- mysql -u root -pgcppassword -e "show databases;"
...
Warning: Using a password on the command line interface can be insecure.
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
+--------------------+
```
Also, try to check the value in environment variable of MySQL pod.
```shell
$ kubectl exec -it k8s-gcp-mysql-7b45bbc486-8w55w \
-- env | grep ROOT
...
No output
```

23
docs/src/guide/gcp-secret-manager.md
View File

@ -1,23 +0,0 @@
# GCP Secret Manager
For integrating GCP Secret Manager with the K8s Vault Webhook, first we need to setup GCP Secret Manager inside GCP account.
Here we will talk about the integration of GCP Secret Manager inside Kubernetes.
Login into the [GCP Portal](https://console.cloud.google.com/) and select [GCP Secret Manager](https://console.cloud.google.com/security/secret-manager) service.
![](./images/gcp-secret-manager.png)
Create a secret by clicking on **Create Secret** and provide a JSON key value pair in the secret data like this:-
```json
{
"MYSQL_ROOT_PASSWORD": "gcppassword"
}
```
![](./images/gcp-secret-manager-create.png)
Once the secret details has been provided, create the secret.
**We can provide multiple key-value in form on JSON data**

BIN
docs/src/guide/images/gcp-secret-manager-create.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 33 KiB

BIN
docs/src/guide/images/gcp-secret-manager.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 26 KiB

BIN
docs/src/guide/images/gcp-secret-mananger-gcp.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 17 KiB

2
docs/src/guide/secret-manager.md
View File

@ -38,5 +38,3 @@ Azure Key Vault is cloud service to securely store and accessing credentials suc
## GCP Secret Manager ## GCP Secret Manager
GCP Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud. GCP Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.
![](./images/gcp-secret-mananger-gcp.png)

32
example/gcp-mysql-example.yaml
View File

@ -1,32 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: k8s-gcp-mysql
labels:
app: k8s-gcp-mysql
spec:
selector:
matchLabels:
app: k8s-gcp-mysql
tier: mysql
strategy:
type: Recreate
template:
metadata:
labels:
app: k8s-gcp-mysql
tier: mysql
annotations:
gcp.opstree.secret.manager/enabled: "true"
gcp.opstree.secret.manager/project-id: "graceful-flag-209120"
gcp.opstree.secret.manager/secret-name: "test-secret"
gcp.opstree.secret.manager/secret-version: "3"
gcp.opstree.secret.manager/gcp-service-account-key-secret-name: "gcp-sa"
spec:
containers:
- image: opstree/mysql:latest
name: mysql
ports:
- containerPort: 3306
name: mysql

54
gcp.go
View File

@ -1,54 +0,0 @@
package main
import (
"fmt"
corev1 "k8s.io/api/core/v1"
)
type gcp struct {
config struct {
enabled bool
projectID string
secretName string
secretVersion string
serviceAccountKeySecretName string
}
}
func (gcp *gcp) mutateContainer(container corev1.Container) corev1.Container {
container = gcp.setArgs(container)
// Mount google service account key if given
if gcp.config.serviceAccountKeySecretName != "" {
container.VolumeMounts = append(container.VolumeMounts, []corev1.VolumeMount{
{
Name: VolumeMountGoogleCloudKeyName,
MountPath: VolumeMountGoogleCloudKeyPath,
},
}...)
}
return container
}
func (gcp *gcp) setArgs(c corev1.Container) corev1.Container {
args := []string{"gcp"}
args = append(args, fmt.Sprintf("--project-id=%s", gcp.config.projectID))
if gcp.config.secretName != "" {
args = append(args, fmt.Sprintf("--secret-name=%s", gcp.config.secretName))
}
if gcp.config.secretVersion != "" {
args = append(args, fmt.Sprintf("--secret-version=%s", gcp.config.secretVersion))
}
if gcp.config.secretName != "" {
args = append(args, fmt.Sprintf("--google-application-credentials=%s", fmt.Sprintf("%s/%s", VolumeMountGoogleCloudKeyPath, GCPServiceAccountCredentialsFileName)))
}
args = append(args, "--")
c.Args = append(args, c.Args...)
return c
}

45
main.go
View File

@ -50,20 +50,6 @@ func (mw *mutatingWebhook) getVolumes(existingVolumes []corev1.Volume, secretMan
}, },
} }
if secretManagerConfig.gcp.config.serviceAccountKeySecretName != "" {
mw.logger.Debugf("Adding Google Cloud Key Volume to podspec")
volumes = append(volumes, []corev1.Volume{
{
Name: "google-cloud-key",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: secretManagerConfig.gcp.config.serviceAccountKeySecretName,
},
},
},
}...)
}
if secretManagerConfig.vault.config.tlsSecretName != "" { if secretManagerConfig.vault.config.tlsSecretName != "" {
mw.logger.Debugf("Adding Vault TLS Volume to podspec") mw.logger.Debugf("Adding Vault TLS Volume to podspec")
volumes = append(volumes, []corev1.Volume{ volumes = append(volumes, []corev1.Volume{
@ -272,11 +258,6 @@ func (mw *mutatingWebhook) mutateContainers(containers []corev1.Container, podSp
mutationInProgress = true mutationInProgress = true
} }
if secretManagerConfig.gcp.config.enabled {
container = secretManagerConfig.gcp.mutateContainer(container)
mutationInProgress = true
}
if secretManagerConfig.vault.config.enabled { if secretManagerConfig.vault.config.enabled {
container = secretManagerConfig.vault.mutateContainer(container) container = secretManagerConfig.vault.mutateContainer(container)
mutationInProgress = true mutationInProgress = true
@ -365,12 +346,6 @@ func (mw *mutatingWebhook) parseSecretManagerConfig(obj metav1.Object) secretMan
var smCfg secretManagerConfig var smCfg secretManagerConfig
annotations := obj.GetAnnotations() annotations := obj.GetAnnotations()
smCfg.gcp.config.enabled, _ = strconv.ParseBool(annotations[AnnotationGCPSecretManagerEnabled])
smCfg.gcp.config.projectID = annotations[AnnotationGCPSecretManagerProjectID]
smCfg.gcp.config.secretName = annotations[AnnotationGCPSecretManagerSecretName]
smCfg.gcp.config.secretVersion = annotations[AnnotationGCPSecretManagerSecretVersion]
smCfg.gcp.config.serviceAccountKeySecretName = annotations[AnnotationGCPSecretManagerGCPServiceAccountKeySecretName]
smCfg.azure.config.enabled, _ = strconv.ParseBool(annotations[AnnotationAzureKeyVaultEnabled]) smCfg.azure.config.enabled, _ = strconv.ParseBool(annotations[AnnotationAzureKeyVaultEnabled])
smCfg.azure.config.azureKeyVaultName = annotations[AnnotationAzureKeyVaultName] smCfg.azure.config.azureKeyVaultName = annotations[AnnotationAzureKeyVaultName]
@ -433,24 +408,6 @@ func (mw *mutatingWebhook) SecretsMutator(ctx context.Context, obj metav1.Object
return false, mw.mutatePod(v, smCfg, whcontext.GetAdmissionRequest(ctx).Namespace, whcontext.IsAdmissionRequestDryRun(ctx)) return false, mw.mutatePod(v, smCfg, whcontext.GetAdmissionRequest(ctx).Namespace, whcontext.IsAdmissionRequestDryRun(ctx))
} }
if smCfg.gcp.config.enabled {
var err error
mw.logger.Infof("Using GCP Secret Manager")
if smCfg.gcp.config.projectID == "" {
err = fmt.Errorf("Error getting gcp project id - make sure you set the annotation %s on the Pod", AnnotationGCPSecretManagerProjectID)
}
if smCfg.gcp.config.secretName == "" {
err = fmt.Errorf("Error getting gcp secret name - make sure you set the annotation %s on the Pod", AnnotationGCPSecretManagerSecretName)
}
if err != nil {
return true, err
}
return false, mw.mutatePod(v, smCfg, whcontext.GetAdmissionRequest(ctx).Namespace, whcontext.IsAdmissionRequestDryRun(ctx))
}
if smCfg.vault.config.enabled { if smCfg.vault.config.enabled {
var err error var err error
mw.logger.Info("Using Vault Secret Manager") mw.logger.Info("Using Vault Secret Manager")
@ -522,7 +479,7 @@ func newK8SClient() (kubernetes.Interface, error) {
} }
func init() { func init() {
viper.SetDefault("k8s_secret_injector_image", "quay.io/opstree/k8s-secret-injector:4.0") viper.SetDefault("k8s_secret_injector_image", "quay.io/opstree/k8s-secret-injector:3.0")
viper.SetDefault("k8s_secret_injector_image_pull_policy", string(corev1.PullIfNotPresent)) viper.SetDefault("k8s_secret_injector_image_pull_policy", string(corev1.PullIfNotPresent))
viper.SetDefault("k8s_secret_injector_image_pull_secret_name", "") viper.SetDefault("k8s_secret_injector_image_pull_secret_name", "")
viper.SetDefault("tls_cert_file", "") viper.SetDefault("tls_cert_file", "")

9
scripts/build-docs.sh
View File

@ -1,9 +0,0 @@
#!/bin/bash
build_docs() {
cd docs; yarn install && \
yarn add -D vuepress && \
yarn build
}
build_docs

17
scripts/dockerfile-linter.sh
View File

@ -1,17 +0,0 @@
#!/bin/bash
download_hadolint() {
wget https://github.com/hadolint/hadolint/releases/download/v2.4.0/hadolint-Linux-x86_64
chmod +x hadolint-Linux-x86_64
}
execute_hadolint() {
./hadolint-Linux-x86_64 Dockerfile --ignore DL3007 --ignore DL3018
}
main() {
download_hadolint
execute_hadolint
}
main

11
scripts/gofmt.sh
View File

@ -1,11 +0,0 @@
#!/bin/bash
gofmt_files=$(go fmt ./... | wc -l)
if [[ ${gofmt_files} > 0 ]]
then
echo "Please format golang files using:- go fmt ./..."
exit 1
else
echo "All files are formated using gofmt"
fi

26
scripts/goreleaser.sh
View File

@ -1,26 +0,0 @@
#!/bin/bash
install_goreleaser() {
curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh
}
release() {
install_goreleaser
./bin/goreleaser release --rm-dist
}
compare_version() {
version=$(cat VERSION)
if ! git tag -l | grep "${version}"
then
git checkout master
echo "git tag ${version}"
git tag "${version}"
release
else
git tag -l
echo "Latest version is already updated"
fi
}
compare_version

16
scripts/gosec.sh
View File

@ -1,16 +0,0 @@
#!/bin/bash
install_gosec() {
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s latest
}
execute_gosec() {
./bin/gosec -fmt=junit-xml -out=./bin/results.xml ./... || true
}
main() {
install_gosec
execute_gosec
}
main

19
scripts/spellcheck.sh
View File

@ -1,19 +0,0 @@
#!/bin/bash
install_spellcheck() {
sudo apt-get update -y
sudo apt-get install -y aspell
}
run_spellcheck() {
aspell ../README.md
aspell ../CHANGELOG.md
aspell ../DEVELOPMENT.md
}
main() {
install_spellcheck
run_spellcheck
}
main

20
scripts/trivy-scan.sh
View File

@ -1,20 +0,0 @@
#!/bin/bash
install_trivy() {
sudo apt-get install wget apt-transport-https gnupg lsb-release -y
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy -y
}
execute_trivy() {
trivy image --input ${IMAGE_PATH}
}
main() {
install_trivy
execute_trivy
}
main

9
settings.go
View File

@ -1,15 +1,6 @@
package main package main
const ( const (
// VolumeMountGoogleCloudKeyPath the path where the gcp service acount credentials would be mount to
VolumeMountGoogleCloudKeyPath = "/var/run/secret/cloud.google.com"
// VolumeMountGoogleCloudKeyName the name of the volume for the gcp service account
VolumeMountGoogleCloudKeyName = "google-cloud-key"
// GCPServiceAccountCredentialsFileName the name of the generated credentials file for gcp
GCPServiceAccountCredentialsFileName = "service-account.json"
// VaultTLSMountPath path where to mount the vault TLS secret // VaultTLSMountPath path where to mount the vault TLS secret
VaultTLSMountPath = "/etc/tls/" VaultTLSMountPath = "/etc/tls/"

1
types.go
View File

@ -10,7 +10,6 @@ type secretManagerConfig struct {
vault vault
aws aws
azure azure
gcp
// explicitSecrets bool // only get secrets that match the prefix `secret:` // explicitSecrets bool // only get secrets that match the prefix `secret:`
} }

2
version/version.go
View File

@ -1,7 +1,7 @@
package version package version
// version is a private field // version is a private field
var version = "4.0" var version = "3.0"
// GetVersion returns the current version // GetVersion returns the current version
func GetVersion() string { func GetVersion() string {