Merge pull request #29 from zakkg3/value-from-Issue3

Update to kopf 1.53 and k8s 1.25

Author: zakkg3

Dockerfile

@@ -1,3 +1,3 @@
-FROM flag5/clustersecretbase:0.0.4
+FROM flag5/clustersecretbase:0.0.5
 ADD /src /src
-CMD kopf run /src/handlers.py
+CMD kopf run -A /src/handlers.py

Dockerfile.arm

@@ -1,3 +1,3 @@
-FROM flag5/clustersecretbase:0.0.4_arm32
+FROM flag5/clustersecretbase:0.0.5_arm32
 ADD /src /src
-CMD kopf run /src/handlers.py
+CMD kopf run -A /src/handlers.py

Makefile

@@ -1,9 +1,9 @@
 IMG_NAMESPACE = flag5
 IMG_NAME = clustersecret
 IMG_FQNAME = $(IMG_NAMESPACE)/$(IMG_NAME)
-IMG_VERSION = 0.0.6
+IMG_VERSION = 0.0.7
 
-.PHONY: container push clean
+.PHONY: container push clean arm-container arm-push arm-clean
 all: container push
 arm: arm-container arm-push
 clean: clean arm-clean

README.md

@@ -3,7 +3,7 @@
 
 ---
 
-Introduce Kubernetes ClusterSecret 
+Kubernetes ClusterSecret 
 
 Global inter-namespace cluster secrets - Secrets that work across namespaces  - Clusterwide secrets
 
@@ -58,7 +58,13 @@ Clustersecrets automates this. It keep track of any modification in your secret
 
 # installation
 
-## tl;dr
+## Requirements
+
+Current version 0.0.7 is tested for Kubernetes >= 1.19 up to 1.25
+
+For older kubernes (<1.19) use the image tag "0.0.6" in  yaml/02_deployment.yaml
+
+## tl;dr install
 
 ```bash
 kubectl apply -f ./yaml
@@ -70,7 +76,7 @@ To instal ClusterSecret operator we need to create (in this order):
 
  - RBAC resources (avoid if you are not running RBAC) to allow the operator to create/update/patch secrets: yaml/00_
  - Custom resource definition for the ClusterSecret resource: yaml/01_crd.yaml
- - The ClusterSecret operator itself: yaml/02_deployment.yaml For ARM architectures yaml/arm32v7/02_deployment.yam
+ - The ClusterSecret operator itself: yaml/02_deployment.yaml || For **ARM architectures**: yaml/arm32v7/02_deployment.yam
 
 
 # quick start:
@@ -111,6 +117,10 @@ for a new namespaced role and its correspondient rolebinding.
 Here is the official doc:
 https://kubernetes.io/docs/reference/access-authn-authz/rbac/
 
+## optional
+
+overwrite the deployment command with kopf namespaces instead of the "-A" (all namespaces)
+
 # Debugging.
 
 
@@ -132,12 +142,12 @@ kopf run ./src/handlers.py --verbose
 
 # Build the images
 
-There is makefiles for this, you can clone this repo. edit the makefile and then run make.
+There is makefiles for this, you can clone this repo. edit the makefile and then run 'make all'.
 
 You will need the base image first and then the final image.
 Find the base one in the folder base-image (yes very original name)
 
-Running make will build and push for all arch's supported. 
+Running just 'make' builds and push for all arch's supported. 
 
 ## x86
 
@@ -154,8 +164,14 @@ In case you want it for your raspberri py:
 cd base-images && make arm & cd ..
 make arm
 ```
+## Digests
 
- 
+latest = 0.0.7
+
+docker.io/flag5/clustersecret:
+
+0.0.7 digest: sha256:c8dffeefbd3c8c54af67be81cd769e3c18263920729946b75f098065318eddb1
+0.0.7_arm32: digest: sha256:ffac630417bd090c958c9facf50a31ba54e0b18c89ef52d8eec5c1326a5f20ad
 # Roadmap:
 
  - [] implement `source` to specify a source secret to sync instead of `data` field. (https://github.com/zakkg3/ClusterSecret/issues/3)

base-image/Dockerfile

@@ -1,3 +1,3 @@
-FROM python:3.7-slim
+FROM python:3.9-slim
 ADD requirements.txt /
 RUN pip install -r requirements.txt

base-image/Dockerfile.arm

@@ -1,4 +1,4 @@
-FROM arm32v7/python:3.8-slim
+FROM arm32v7/python:3.9-slim
 RUN apt update && apt install -y build-essential
 ADD requirements.txt /
 RUN pip install -r requirements.txt

base-image/Makefile

@@ -1,16 +1,14 @@
 IMG_NAMESPACE = flag5
 IMG_NAME = clustersecretbase
 IMG_FQNAME = $(IMG_NAMESPACE)/$(IMG_NAME)
-IMG_VERSION = 0.0.4
+IMG_VERSION = 0.0.5
 
-.PHONY: container arm-container push clean clean-arm
+.PHONY: container arm-container push arm-push clean clean-arm
 all: container push
 arm: arm-container arm-push
 clean: clean arm-clean
 
 
-
-
 container:
 	sudo docker build -t $(IMG_FQNAME):$(IMG_VERSION) -t $(IMG_FQNAME):latest .
 
@@ -20,7 +18,6 @@ push: container
 
 clean:
 	sudo docker rmi $(IMG_FQNAME):$(IMG_VERSION)
-	
 
 arm-container:
 	sudo docker build -t $(IMG_FQNAME):$(IMG_VERSION)_arm32 -f Dockerfile.arm .

base-image/requirements.txt

@@ -1,2 +1,2 @@
-kopf===0.27rc6
-kubernetes
+kopf===1.35.3
+kubernetes===19.15.0

src/handlers.py

@@ -5,7 +5,10 @@
 
 @kopf.on.delete('clustersecret.io', 'v1', 'clustersecrets')
 def on_delete(spec,uid,body,name,logger=None, **_):
-    syncedns = body['status']['create_fn']['syncedns']
+    try:
+        syncedns = body['status']['create_fn']['syncedns']
+    except KeyError:
+        syncedns=[]
     v1 = client.CoreV1Api()
     for ns in syncedns:
         logger.info(f'deleting secret {name} from namespace {ns}')
@@ -84,6 +87,9 @@ def get_ns_list(logger,body,v1=None):
         logger.debug("matching all namespaces.")
     logger.debug(f'Matching namespaces: {matchNamespace}')
 
+    if matchNamespace is None:  # if delted key (issue 26)
+        matchNamespace = '*'
+    
     try:
         avoidNamespaces = body.get('avoidNamespaces')
     except KeyError:
@@ -120,7 +126,7 @@ def create_secret(logger,namespace,body,v1=None):
         v1 = client.CoreV1Api()
         logger.debug('new client - fn create secret')
     try:
-        name = body['metadata']['name']
+        sec_name = body['metadata']['name']
     except KeyError:
         logger.debug("No name in body ?")
         raise kopf.TemporaryError("can not get the name.")
@@ -129,36 +135,49 @@ def create_secret(logger,namespace,body,v1=None):
     except KeyError:
         data = ''
         logger.error("Empty secret?? could not get the data.")
- 
+    
+    if 'valueFrom' in data:
+        if len(data.keys()) > 1:
+            raise kopf.TemporaryError("ValueFrom can not coexist with other keys in the data")
+            
+        try:
+            ns_from = data['ValueFrom']['namespace']
+            name_from = data['ValueFrom']['name']
+        except KeyError:
+            logger.error("Can not get Values from external secret")
+            # to-do keys_from
+        logger.debug(f'Take value from secret {name_from} from namespace {ns_from}')
+        # data = read_data_secret(name,namespace)
+        #here - doing the valuform thing. but first fix and update all.
+        
     secret_type = 'Opaque'
     if 'type' in body:
         secret_type = body['type']
-
-    metadata = {'name': name, 'namespace': namespace}
-    api_version = 'v1'
-    kind = 'Secret'
-    body = client.V1Secret(api_version, data , kind, metadata, type = secret_type)
+    body  = client.V1Secret()
+    body.metadata = client.V1ObjectMeta(name=sec_name)
+    body.type = secret_type
+    body.data = data
     # kopf.adopt(body)
     logger.info(f"cloning secret in namespace {namespace}")
     try:
         api_response = v1.create_namespaced_secret(namespace, body)
     except client.rest.ApiException as e:
         if e.reason == 'Conflict':
-            logger.warning(f"secret `{name}` already exist in namesace '{namespace}'")
+            logger.warning(f"secret `{sec_name}` already exist in namesace '{namespace}'")
             return 0
         logger.error(f'Can not create a secret, it is base64 encoded? data: {data}')
         logger.error(f'Kube exception {e}')
         return 1
     return 0
 
 @kopf.on.create('', 'v1', 'namespaces')
-async def namespace_watcher(patch,logger,meta,body,event,**kwargs):
+async def namespace_watcher(spec,patch,logger,meta,body,**kwargs):
     """Watch for namespace events
     """
     new_ns = meta['name']
     logger.debug(f"New namespace created: {new_ns} re-syncing")
     v1 = client.CoreV1Api()
-    
+    ns_new_list = []
     for k,v in csecs.items():
         obj_body = v['body']
         #logger.debug(f'k: {k} \n v:{v}')
@@ -167,7 +186,7 @@ async def namespace_watcher(patch,logger,meta,body,event,**kwargs):
         ns_new_list=get_ns_list(logger,obj_body,v1)
         logger.debug(f"new matched list: {ns_new_list}")
         if new_ns in ns_new_list:
-            logger.debug(f"Clonning secret {v['body']['metadata']['name']} into the new namespace {new_ns}")
+            logger.debug(f"Cloning secret {v['body']['metadata']['name']} into the new namespace {new_ns}")
             create_secret(logger,new_ns,v['body'],v1)
             # if there is a new matching ns, refresh memory
             v['syncedns'] = ns_new_list

yaml/00_rbac.yaml

@@ -9,7 +9,7 @@ metadata:
   namespace: "clustersecret"
   name: clustersecret-account
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: clustersecret-role-cluster
@@ -45,7 +45,7 @@ rules:
     resources: [secrets]
     verbs: [watch, list, get, patch, update, create, delete]
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   namespace: "clustersecret"
@@ -71,7 +71,7 @@ rules:
     resources: [secrets]
     verbs: [create,update,patch]
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: clustersecret-rolebinding-cluster
@@ -84,7 +84,7 @@ subjects:
     name: clustersecret-account
     namespace: "clustersecret"
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   namespace: "clustersecret"

yaml/01_crd.yaml

@@ -1,5 +1,5 @@
 # A demo CRD for the Kopf example operators.
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: clustersecrets.clustersecret.io
@@ -10,23 +10,23 @@ spec:
     - name: v1
       served: true
       storage: true
+      additionalPrinterColumns:
+        - name: Type
+          type: string
+          priority: 0
+          jsonPath: .type
+          description: Secret Type
+      #   - name: Subject
+      #     type: string
+      #     priority: 0
+      #     JSONPath: .subject
+      #   - name: Status
+      #     type: string
+      #     priority: 0
+  #     JSONPath: .ticket_status
   names:
     kind: ClusterSecret
     plural: clustersecrets
     singular: clustersecret
     shortNames:
       - csec
-  additionalPrinterColumns:
-    - name: Type
-      type: string
-      priority: 0
-      JSONPath: .type
-      description: Secret Type
-  #   - name: Subject
-  #     type: string
-  #     priority: 0
-  #     JSONPath: .subject
-  #   - name: Status
-  #     type: string
-  #     priority: 0
-  #     JSONPath: .ticket_status

yaml/02_deployment.yaml

@@ -20,11 +20,12 @@ spec:
         # - name: regcred
         containers:
         - name: clustersecret
-          image: flag5/clustersecret:0.0.6
+          image: flag5/clustersecret:0.0.7
           # imagePullPolicy: Always
           # Uncomment next lines for debug:
           # command:
           #   - "kopf"
           #   - "run"
+          #   - "-A"
           #   - "/src/handlers.py"
           #   - "--verbose"

yaml/Object_example/obj.yaml

@@ -15,6 +15,7 @@ matchNamespace:
 avoidNamespaces:
   - supersecret-ns
   - default
+  - kube-system
 data:
   tls.crt: MTIzNDU2Cg==
   tls.key: Nzg5MTAxMTIxMgo=