OT-CONTAINER-KIT
/
k8s-vault-webhook
mirror of https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: OT-CONTAINER-KIT:v4.0
Branches Tags
OT-CONTAINER-KIT:master
OT-CONTAINER-KIT:gh-pages
OT-CONTAINER-KIT:v4.0
OT-CONTAINER-KIT:v3.0
OT-CONTAINER-KIT:v2.0
OT-CONTAINER-KIT:v1.0
..
compare: OT-CONTAINER-KIT:master
Branches Tags
OT-CONTAINER-KIT:master
OT-CONTAINER-KIT:gh-pages
OT-CONTAINER-KIT:v4.0
OT-CONTAINER-KIT:v3.0
OT-CONTAINER-KIT:v2.0
OT-CONTAINER-KIT:v1.0

6 Commits
v4.0 ... master

Author SHA1 Message Date
Abhishek Dubey ae51e2ef90
Added blog link in the README 2021-09-21 11:38:07 +05:30
Abhishek Dubey f9d698061a
Update README.md 2021-08-26 11:48:26 +05:30
Abhishek Dubey f4115238fd
[Feature][Add] Added template for azure DevOps (#16) 
* Added azure pipeline template

Signed-off-by: iamabhishek-dubey <abhishekbhardwaj510@gmail.com>
 2021-05-19 19:06:29 +05:30
iamabhishek-dubey 8e6d3c2572 Merge branch 'master' of github.com:OT-CONTAINER-KIT/k8s-vault-webhook 2021-05-16 22:27:59 +05:30
iamabhishek-dubey dbf922906c Updated badge information 
Signed-off-by: iamabhishek-dubey <abhishekbhardwaj510@gmail.com>
 2021-05-16 22:27:35 +05:30
Abhishek Dubey b69fd3cb43
[Feature][Change] Updated azure devops ci pipeline (#15) 
* Added few security steps in azure pipline

Signed-off-by: iamabhishek-dubey <abhishekbhardwaj510@gmail.com>
 2021-05-16 22:18:31 +05:30
5 changed files with 66 additions and 188 deletions
Show Stats Expand all files Collapse all files

199
.azure-pipelines/pipeline.yml
View File

@ -7,190 +7,17 @@ pr:
include: include:
- master - master
variables: resources:
- group: RuntimeVariables repositories:
- repository: golang-template
stages: type: github
- stage: precheck name: opstree/azure-devops-template
jobs: endpoint: OT-CONTAINER-KIT
- job: govet
dependsOn: []
pool:
vmImage: "ubuntu-18.04"
steps:
- task: GoTool@0
displayName: "Installing Golang"
inputs:
version: '1.16'
- task: Go@0
displayName: "Executing go vet"
inputs:
command: 'custom'
customCommand: 'vet'
- stage: code_quality extends:
dependsOn: ["precheck"] template: golang-ci.yaml@golang-template
jobs: parameters:
- job: golang_ci_lint ApplicationName: k8s-vault-webhook
dependsOn: [] QuayImageName: opstree/k8s-vault-webhook
pool: GithubImageName: ot-container-kit/k8s-vault-webhook/k8s-vault-webhook
vmImage: "ubuntu-18.04" BuildDocs: true
steps:
- task: GoTool@0
displayName: "Installing Golang"
inputs:
version: '1.16'
- script: |
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.40.0
./bin/golangci-lint run --timeout 5m0s ./...
displayName: "Executing golang-ci lint"
- stage: dockerfile_lint
dependsOn: ["precheck"]
jobs:
- job: dockerfile_lint
dependsOn: []
pool:
vmImage: "ubuntu-18.04"
steps:
- script: scripts/dockerfile-linter.sh
displayName: "Executing dockerlinter"
- stage: build
dependsOn: ["code_quality"]
jobs:
- job: linux_amd64
dependsOn: []
pool:
vmImage: "ubuntu-18.04"
steps:
- task: GoTool@0
displayName: "Installing Golang"
inputs:
version: '1.16'
- task: Go@0
displayName: "Executing go build"
inputs:
command: 'build'
arguments: '-o $(Agent.BuildDirectory)/k8s-vault-webhook'
- task: ArchiveFiles@2
displayName: 'Archiving go binary'
inputs:
rootFolderOrFile: '$(Agent.BuildDirectory)/k8s-vault-webhook'
includeRootFolder: true
archiveType: 'zip'
archiveFile: '$(Build.ArtifactStagingDirectory)/compiled/k8s-vault-webhook-linux-amd64.zip'
replaceExistingArchive: true
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: '$(Build.ArtifactStagingDirectory)/compiled'
ArtifactName: 'drop'
publishLocation: 'Container'
- stage: build_image
dependsOn: ["dockerfile_lint"]
jobs:
- job: linux_amd64
dependsOn: []
steps:
- task: Docker@2
displayName: "Building docker image"
inputs:
command: 'build'
Dockerfile: '**/Dockerfile'
tags: '$(Build.BuildId)'
- stage: release_binaries
dependsOn: ["build", "build_image"]
jobs:
- job: goreleaser
dependsOn: []
pool:
vmImage: "ubuntu-18.04"
steps:
- script: scripts/goreleaser.sh
displayName: "Releasing go binaries"
env:
GITHUB_TOKEN: $(GithubToken)
condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/master'))
- stage: release_quay
dependsOn: ["build", "build_image"]
jobs:
- job: quay
dependsOn: []
pool:
vmImage: "ubuntu-18.04"
steps:
- task: Docker@2
displayName: "Publish quay image"
inputs:
containerRegistry: 'QuayServiceConnection'
repository: 'opstree/k8s-vault-webhook'
command: 'buildAndPush'
Dockerfile: '**/Dockerfile'
tags: |
latest
$(Build.SourceBranchName)
condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/master'))
- stage: release_github_image
dependsOn: ["build", "build_image"]
jobs:
- job: github
dependsOn: []
pool:
vmImage: "ubuntu-18.04"
steps:
- task: Docker@2
displayName: "Publish github image"
inputs:
containerRegistry: 'GithubServiceConnection'
repository: 'ot-container-kit/k8s-vault-webhook/k8s-vault-webhook'
command: 'buildAndPush'
Dockerfile: '**/Dockerfile'
tags: |
latest
$(Build.SourceBranchName)
condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/master'))
- stage: verify
dependsOn: ["release_binaries", "release_quay", "release_github_image"]
jobs:
- job: verfiy
dependsOn: []
pool:
vmImage: "ubuntu-18.04"
steps:
- task: DownloadBuildArtifacts@0
displayName: "Downloading the artifact"
inputs:
buildType: 'current'
downloadType: 'single'
artifactName: 'drop'
downloadPath: '$(System.ArtifactsDirectory)'
- task: ExtractFiles@1
displayName: "Extracting files"
inputs:
archiveFilePatterns: '$(System.ArtifactsDirectory)/drop/k8s-vault-webhook-linux-amd64.zip'
destinationFolder: '$(Agent.BuildDirectory)'
cleanDestinationFolder: false
overwriteExistingFiles: true
- script: |
$(Agent.BuildDirectory)/k8s-vault-webhook --help || true
displayName: "Executing k8s-vault-webhook"
- stage: docs
dependsOn: ["release_binaries", "release_quay", "release_github_image"]
jobs:
- job: build
dependsOn: []
pool:
vmImage: "ubuntu-18.04"
steps:
- task: NodeTool@0
displayName: "Installing NodeJS"
inputs:
versionSpec: '>=8.6'
- script: scripts/build-docs.sh
displayName: "Building documentation"

8
README.md
View File

@ -3,8 +3,8 @@
</div> </div>
<p align="center"> <p align="center">
<a href="https://dev.azure.com/abhishekbhardwaj510/DevOps/_build?definitionId=4&_a=summary"> <a href="https://dev.azure.com/opstreedevops/DevOps/_build?definitionId=4">
<img src="https://dev.azure.com/abhishekbhardwaj510/DevOps/_apis/build/status/k8s-vault-webhook/k8s-vault-webhook?branchName=master" alt="Azure Pipelines"> <img src="https://dev.azure.com/opstreedevops/DevOps/_apis/build/status/k8s-vault-webhook/k8s-vault-webhook?branchName=master" alt="Azure Pipelines">
</a> </a>
<a href="https://goreportcard.com/report/github.com/OT-CONTAINER-KIT/k8s-vault-webhook"> <a href="https://goreportcard.com/report/github.com/OT-CONTAINER-KIT/k8s-vault-webhook">
<img src="https://goreportcard.com/badge/github.com/OT-CONTAINER-KIT/k8s-vault-webhook" alt="GoReportCard"> <img src="https://goreportcard.com/badge/github.com/OT-CONTAINER-KIT/k8s-vault-webhook" alt="GoReportCard">
@ -28,6 +28,8 @@ The motive of creating this project is to provide a dynamic secret injection to
Documentation is available here:- https://ot-container-kit.github.io/k8s-vault-webhook/ Documentation is available here:- https://ot-container-kit.github.io/k8s-vault-webhook/
Blog Link:- https://blog.opstree.com/2021/09/14/introducing-kubernetes-vault-web-hook/
The secret managers which are currently supported:- The secret managers which are currently supported:-
- **[Hashicorp Vault](https://www.vaultproject.io/)** - **[Hashicorp Vault](https://www.vaultproject.io/)**
@ -35,6 +37,8 @@ The secret managers which are currently supported:-
- **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)** - **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)**
- **[GCP Secret Manager](https://cloud.google.com/secret-manager)** - **[GCP Secret Manager](https://cloud.google.com/secret-manager)**
This project is based on secret-consumer-webhook. Please check out the source code at https://github.com/innovia/secrets-consumer-webhook.
### Supported Features ### Supported Features
- Authentication to Hashicorp vault using Kubernetes service-account - Authentication to Hashicorp vault using Kubernetes service-account

11
scripts/gofmt.sh Executable file
View File

@ -0,0 +1,11 @@
#!/bin/bash
gofmt_files=$(go fmt ./... | wc -l)
if [[ ${gofmt_files} > 0 ]]
then
echo "Please format golang files using:- go fmt ./..."
exit 1
else
echo "All files are formated using gofmt"
fi

16
scripts/gosec.sh Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
install_gosec() {
curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s latest
}
execute_gosec() {
./bin/gosec -fmt=junit-xml -out=./bin/results.xml ./... || true
}
main() {
install_gosec
execute_gosec
}
main

20
scripts/trivy-scan.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/bash
install_trivy() {
sudo apt-get install wget apt-transport-https gnupg lsb-release -y
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy -y
}
execute_trivy() {
trivy image --input ${IMAGE_PATH}
}
main() {
install_trivy
execute_trivy
}
main