Merge pull request #72 from projectsyn/feat/support-secrets

Support custom secrets

Author: DebakelOrakel

.cruft.json

@@ -7,11 +7,11 @@
       "name": "fluentbit",
       "slug": "fluentbit",
       "parameter_key": "fluentbit",
-      "test_cases": "defaults",
+      "test_cases": "defaults config",
       "add_lib": "n",
       "add_pp": "y",
       "add_golden": "y",
-      "add_matrix": "n",
+      "add_matrix": "y",
       "add_go_unit": "n",
       "automerge_patch": "y",
       "automerge_patch_v0": "n",

.github/workflows/test.yaml

@@ -29,6 +29,11 @@ jobs:
           args: 'check'
   test:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        instance:
+          - defaults
+          - config
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}
@@ -37,9 +42,14 @@ jobs:
         with:
           path: ${{ env.COMPONENT_NAME }}
       - name: Compile component
-        run: make test
+        run: make test -e instance=${{ matrix.instance }}
   golden:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        instance:
+          - defaults
+          - config
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}
@@ -48,4 +58,4 @@ jobs:
         with:
           path: ${{ env.COMPONENT_NAME }}
       - name: Golden diff
-        run: make golden-diff
+        run: make golden-diff -e instance=${{ matrix.instance }}

Makefile

@@ -71,6 +71,22 @@ golden-diff: commodore_args += -f tests/$(instance).yml
 golden-diff: clean .compile ## Diff compile output against the reference version. Review output and run `make gen-golden golden-diff` if this target fails.
 	@git diff --exit-code --minimal --no-index -- tests/golden/$(instance) compiled/
 
+.PHONY: golden-diff-all
+golden-diff-all: recursive_target=golden-diff
+golden-diff-all: $(test_instances) ## Run golden-diff for all instances. Note: this doesn't work when running make with multiple parallel jobs (-j != 1).
+
+.PHONY: gen-golden-all
+gen-golden-all: recursive_target=gen-golden
+gen-golden-all: $(test_instances) ## Run gen-golden for all instances. Note: this doesn't work when running make with multiple parallel jobs (-j != 1).
+
+.PHONY: lint_kubent_all
+lint_kubent_all: recursive_target=lint_kubent
+lint_kubent_all: $(test_instances) ## Lint deprecated Kubernetes API versions for all golden test instances. Will exit on first error. Note: this doesn't work when running make with multiple parallel jobs (-j != 1).
+
+.PHONY: $(test_instances)
+$(test_instances):
+	$(MAKE) $(recursive_target) -e instance=$(basename $(@F))
+
 .PHONY: clean
 clean: ## Clean the project
 	rm -rf .cache compiled dependencies vendor helmcharts jsonnetfile*.json || true

Makefile.vars.mk

@@ -57,3 +57,4 @@ KUBENT_IMAGE    ?= ghcr.io/doitintl/kube-no-trouble:latest
 KUBENT_DOCKER   ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)
 
 instance ?= defaults
+test_instances = tests/defaults.yml tests/config.yml

class/defaults.yml

@@ -66,6 +66,10 @@ parameters:
           K8S-Logging.Parser: "On"
           K8S-Logging.Exclude: "On"
 
+    # Configure a custom secret to deploy
+    secretName: ${_instance}
+    secret: {}
+
     # Add volumes to the pod spec
     extraVolumes: []
     extraVolumeMounts: []

component/main.jsonnet

@@ -162,8 +162,25 @@ local configmap = kube.ConfigMap(params.configMapName) {
   },
 };
 
+local secret = kube.Secret(params.secretName) {
+  metadata+: {
+    labels+: {
+      'app.kubernetes.io/name': params.secretName,
+      'app.kubernetes.io/instance': instanceName,
+      'app.kubernetes.io/component': 'fluent-bit',
+      'app.kubernetes.io/managed-by': 'commodore',
+    },
+  },
+  stringData: {
+    [s]: params.secret[s]
+    for s in std.objectFields(params.secret)
+  },
+  data:: {},
+};
+
 {
   [if params.createNamespace then '00_namespace']: kube.Namespace(params.namespace),
+  [if std.length(params.secret) > 0 then '10_custom_secret']: secret,
   '10_custom_config': configmap,
   [if params.monitoring.enabled then '20_service_monitor']:
     kube._Object('monitoring.coreos.com/v1', 'ServiceMonitor', 'fluent-bit') {

docs/modules/ROOT/pages/references/parameters.adoc

@@ -180,6 +180,22 @@ capitalization of keys and values).
 If the dict for a section doesn't have a key `Name`, the key for the section will be used as the plugin name for the section.
 This allows avoiding repetition, when it's unnecessary, while still supporting having multiple outputs using the same plugin.
 
+== `secretName`
+
+[horizontal]
+type:: string
+default:: `${_instance}`
+
+The name of the generated secret.
+
+== `secret`
+
+[horizontal]
+type:: dict
+default:: {}
+
+Create a custom secret which containes the key-value pairs defined in this dict.
+
 == `annotations`
 
 [horizontal]

renovate.json

@@ -13,7 +13,7 @@
   "separateMinorPatch": true,
   "postUpgradeTasks": {
     "commands": [
-      "make gen-golden"
+      "make gen-golden-all"
     ],
     "fileFilters": [
       "tests/golden/**"

tests/config.yml

@@ -0,0 +1,10 @@
+parameters:
+  fluentbit:
+    secret:
+      AWS_ACCESS_KEY_ID: <SUPER_SECRET>
+      AWS_SECRET_ACCESS_KEY: <EVEN_MORE_SUPERER>
+
+    helm_values:
+      envFrom:
+        - secretRef:
+            name: ${fluentbit:secretName}

tests/defaults.yml

@@ -1,3 +1,3 @@
----
-parameters:
-  fluentbit: {}
+# Overwrite parameters here
+
+# parameters: {...}