From de092b87f756c3c9d2557fa71cca3045e618be81 Mon Sep 17 00:00:00 2001 From: patoarvizu Date: Fri, 17 Jul 2020 19:11:11 -0400 Subject: [PATCH 1/4] Add 'sync-period-seconds' parameter --- cmd/manager/main.go | 1 + pkg/controller/kmsvaultsecret/config.go | 1 + pkg/controller/kmsvaultsecret/kmsvaultsecret_controller.go | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cmd/manager/main.go b/cmd/manager/main.go index 5f5631f..86bc1b4 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -56,6 +56,7 @@ func main() { pflag.CommandLine.AddGoFlagSet(flag.CommandLine) pflag.StringVar(&kmsvaultsecret.VaultAuthenticationMethod, "vault-authentication-method", "token", "Method to be used for the controller to authenticate with Vault") + pflag.IntVar(&kmsvaultsecret.SyncPeriodSeconds, "sync-period-seconds", 120, "Amount of time in seconds to wait between before syncing the secret to Vault") pflag.Parse() diff --git a/pkg/controller/kmsvaultsecret/config.go b/pkg/controller/kmsvaultsecret/config.go index 3995fa2..8951557 100644 --- a/pkg/controller/kmsvaultsecret/config.go +++ b/pkg/controller/kmsvaultsecret/config.go @@ -2,4 +2,5 @@ package kmsvaultsecret var ( VaultAuthenticationMethod string + SyncPeriodSeconds int ) diff --git a/pkg/controller/kmsvaultsecret/kmsvaultsecret_controller.go b/pkg/controller/kmsvaultsecret/kmsvaultsecret_controller.go index 54ad652..13aec73 100644 --- a/pkg/controller/kmsvaultsecret/kmsvaultsecret_controller.go +++ b/pkg/controller/kmsvaultsecret/kmsvaultsecret_controller.go @@ -170,7 +170,7 @@ func (r *ReconcileKMSVaultSecret) Reconcile(request reconcile.Request) (reconcil rec.Event(instance, corev1.EventTypeNormal, "SecretCreated", fmt.Sprintf("Wrote secret %s to %s", instance.Name, instance.Spec.Path)) r.client.Status().Update(context.TODO(), instance) } - return reconcile.Result{RequeueAfter: time.Minute * 2}, nil + return reconcile.Result{RequeueAfter: time.Second * time.Duration(SyncPeriodSeconds)}, nil } func removeFinalizer(allFinalizers []string, finalizer string) []string { From 4f3dce87e71d4b7d505021acb171eb91ac5e9a2e Mon Sep 17 00:00:00 2001 From: patoarvizu Date: Fri, 17 Jul 2020 19:12:00 -0400 Subject: [PATCH 2/4] Upgrade ubi-minimal base image to 8.2 --- build/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/Dockerfile b/build/Dockerfile index b3b4648..918e7ed 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -6,7 +6,7 @@ WORKDIR /go/src/github.com/patoarvizu/kms-vault-operator/ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /kms-vault-validating-webhook /go/src/github.com/patoarvizu/kms-vault-operator/cmd/webhook/main.go -FROM registry.access.redhat.com/ubi8/ubi-minimal:8.1 +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.2 ARG GIT_COMMIT="unspecified" LABEL GIT_COMMIT=$GIT_COMMIT From 96177fb4009d6b03e3a04caa6b5d36d734d6bd34 Mon Sep 17 00:00:00 2001 From: patoarvizu Date: Fri, 17 Jul 2020 20:08:43 -0400 Subject: [PATCH 3/4] Update k3d installation step --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index a0f08c8..e1d9759 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -49,7 +49,7 @@ jobs: - run: name: Install k3d command: | - wget -q -O - https://raw.githubusercontent.com/rancher/k3d/v1.6.0/install.sh | bash + wget -q -O - https://raw.githubusercontent.com/rancher/k3d/main/install.sh | TAG=v1.6.0 bash - save_cache: key: kms-vault-operator-golang-cache-{{ checksum "go.sum" }} paths: From 6d6d069857f7e594ef940a4a9ce055803a61878c Mon Sep 17 00:00:00 2001 From: patoarvizu Date: Sat, 18 Jul 2020 09:41:17 -0400 Subject: [PATCH 4/4] Add command-line flags documentation --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 269a431..77a39b4 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ - [Vault approle authentication method (`--vault-authentication-method=approle`)](#vault-approle-authentication-method---vault-authentication-methodapprole) - [Vault github authentication method (`--vault-authentication-method=github`)](#vault-github-authentication-method---vault-authentication-methodgithub) - [Vault iam authentication method (`--vault-authentication-method=iam`)](#vault-iam-authentication-method---vault-authentication-methodiam) + - [Command-line flags](#command-line-flags) - [Deploying the operator](#deploying-the-operator) - [Creating a secret](#creating-a-secret) - [Partial secrets](#partial-secrets) @@ -125,6 +126,13 @@ Environment variable | Required? | Default | Description **NOTE:** the remote Vault instance will also require runtime permissions to perform the IAM validation actions. Those credentials cannot be set by the operator and must be set directly in the target Vault cluster by other means. Refer to the official Vault [documentation](https://www.vaultproject.io/docs/auth/aws#recommended-vault-iam-policy) for the recommended IAM policy. +### Command-line flags + +Flag | Default | Description +-----|---------|------------ +`--vault-authentication-method` | `token` | Method to be used for the controller to authenticate with Vault. +`--sync-period-seconds` | 120 | Amount of time in seconds to wait between before syncing the secret to Vault + ### Deploying the operator The `deploy/` directory has some statically defined manifests that you can modify to configure your own keys and deploy. However, this repo also provides a [Helm](https://helm.sh/) template in the `helm/kms-vault-operator` directory, as well as a sample Helm values file for each authentication method above under `deploy/helm-values`. Please note that some of the values assume you have previously created the [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) or other configuration they rely on.